Edit tour

Windows Analysis Report
SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe
Analysis ID:	1427719
MD5:	42dc58fbc7050c3e083ac79205a0aa75
SHA1:	65835ac4cc779cd165e8f5be406aaf7ca1e0124f
SHA256:	30af845f8599e256ce230a25bc8772b8da7c7ba019254de3534d0da70a9e9cc9
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Machine Learning detection for dropped file

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe (PID: 1828 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe" MD5: 42DC58FBC7050C3E083AC79205A0AA75)

setup.exe (PID: 7000 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: 97D098FFE698F9400EF166FC53F86B4A)

Pinball.exe (PID: 500 cmdline: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 5204 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 6184 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 4816 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 416 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 4020 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 3792 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 6304 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 6808 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 4548 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 3552 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 1864 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 5036 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 5504 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 5372 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 4160 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 7060 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 1016 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 6112 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 3496 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 1808 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 2168 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 2128 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 5268 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 4040 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 5032 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 4032 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 6268 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 6768 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 6080 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 4552 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 4324 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 4416 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

Pinball.exe (PID: 6352 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 161915D7FFED531ADF1F43791864D6C1)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 7000, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pinball

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Avira: detection malicious, Label: HEUR/AGEN.1352426
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\huge[1].dat	Avira: detection malicious, Label: HEUR/AGEN.1359405

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Pinball\Del.exe	Joe Sandbox ML: detected

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pinball

Jump to behavior

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Pinball.exe, 00000006.00000002.3000073504.00000000067F2000.00000002.00000001.01000000.0000000D.sdmp, Newtonsoft.Json.dll.3.dr
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\Pinball\Pinball.exeirewall.dlll.pdbC:\Users\user\AppData\Roaming\Pinball\Uninstall.exealll.dll source: setup.exe, 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\vulkan-1.dll.pdb source: vulkan-1.dll.3.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Pinball.exe, Pinball.exe, 00000006.00000002.3000073504.00000000067F2000.00000002.00000001.01000000.0000000D.sdmp, Newtonsoft.Json.dll.3.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bGlue.pdbd source: setup.exe, 00000003.00000002.2813211884.000000000061A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\vulkan-1.dll.pdb source: vulkan-1.dll.3.dr
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: Pinball.exe, Pinball.exe, 00000008.00000002.2787979524.00000000063B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\Pinball\swiftshader\Xilium.CefGlue.pdb source: setup.exe, 00000003.00000002.2813211884.000000000061A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\Pinball\obj\Release\Pinball.pdb source: Pinball.exe, 00000006.00000000.2494820553.0000000000D12000.00000002.00000001.01000000.00000009.sdmp, Pinball.exe.3.dr
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: Pinball.exe, 00000008.00000002.2787979524.00000000063B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\Pinball\swiftshader\Xilium.CefGlue.pdb@ source: setup.exe, 00000003.00000002.2813211884.000000000061A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: Pinball.exe, Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000003.00000002.2813211884.000000000061A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000003.00000002.2813211884.000000000061A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Directory queried: number of queries: 1551

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Code function: 0_2_00405B6F CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405B6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Code function: 0_2_00406724 FindFirstFileA,FindClose,	0_2_00406724
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Code function: 0_2_004027AA FindFirstFileA,	0_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 3_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	3_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 3_2_004066FF FindFirstFileA,FindClose,	3_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 3_2_004027AA FindFirstFileA,	3_2_004027AA

Source: Pinball.exe, 0000000A.00000002.2602798625.00000000024C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: Pinball.exe, 0000000A.00000002.2602798625.00000000024C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: Pinball.exe, 0000000A.00000002.2602798625.00000000024C7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz
Source: Pinball.exe, 00000006.00000002.2612177500.0000000003197000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz/c/g
Source: Pinball.exe, 00000006.00000002.2612177500.0000000003197000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz/c/g4
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: es-419.pak.3.dr	String found in binary or memory: http://ejemplo.com
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: log4net.xml.3.dr	String found in binary or memory: http://logging.apache.org/log4j
Source: Pinball.exe	String found in binary or memory: http://logging.apache.org/log4ne
Source: Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp, log4net.xml.3.dr	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: log4net.xml.3.dr	String found in binary or memory: http://logging.apache.org/log4net/schemas/log4net-events-1.2>
Source: setup.exe, setup.exe, 00000003.00000000.2197898384.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 00000003.00000003.2495031022.0000000000679000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Pinball.exe, 00000006.00000002.2612177500.0000000003488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826167613.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spanchtoc.bond/22_2/huge.dat
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2829240178.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826606682.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826167613.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spanchtoc.bond/22_2/huge.dat-
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2829154967.0000000000598000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://spanchtoc.bond/22_2/huge.dat/SILENTgetOK
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2829240178.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826606682.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826167613.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spanchtoc.bond/22_2/huge.dat9
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2829240178.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826606682.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826167613.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spanchtoc.bond/22_2/huge.dati
Source: Pinball.exe, Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.apache.org/).
Source: Pinball.exe, Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: Pinball.exe	String found in binary or memory: http://www.apache.org/licenses/LICEN
Source: Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: log4net.xml.3.dr	String found in binary or memory: http://www.connectionstrings.com/
Source: log4net.xml.3.dr	String found in binary or memory: http://www.faqs.org/rfcs/rfc3164.html.
Source: log4net.xml.3.dr	String found in binary or memory: http://www.iana.org/assignments/multicast-addresses
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: bn.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=bn&category=theme81https://myactivity.google.com/myactivity/?u
Source: bn.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=bnCtrl$1
Source: de.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=de&category=theme81https://myactivity.google.com/myactivity/?u
Source: de.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=deStrg$1
Source: el.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=el&category=theme81https://myactivity.google.com/myactivity/?u
Source: el.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=elCtrl$1
Source: es.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?u
Source: es-419.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivit
Source: es-419.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=es-419Ctrl$1
Source: es.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=esCtrl$1
Source: hi.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u
Source: hi.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hiCtrl$1
Source: hu.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hu&category=theme81https://myactivity.google.com/myactivity/?u
Source: hu.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=huCtrl$1
Source: ja.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ja&category=theme81https://myactivity.google.com/myactivity/?u
Source: ja.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=jaCtrl$1
Source: lv.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=lv&category=theme81https://myactivity.google.com/myactivity/?u
Source: lv.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=lvCtrl$1
Source: pl.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u
Source: pl.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=plCtrl$1
Source: sk.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=sk&category=theme81https://myactivity.google.com/myactivity/?u
Source: sk.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=skCtrl$1
Source: te.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=te&category=theme81https://myactivity.google.com/myactivity/?u
Source: te.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=teCtrl$1
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, zh-TW.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, zh-TW.pak.3.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: es-419.pak.3.dr	String found in binary or memory: https://ejemplo.com.Se
Source: Newtonsoft.Json.xml.3.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json/issues/652
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://myactivity.google.com/
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, sk.pak.3.dr, el.pak.3.dr	String found in binary or memory: https://passwords.google.com
Source: es-419.pak.3.dr	String found in binary or memory: https://passwords.google.comCuenta
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, te.pak.3.dr, zh-TW.pak.3.dr, lv.pak.3.dr, bn.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://passwords.google.comGoogle
Source: de.pak.3.dr	String found in binary or memory: https://passwords.google.comGoogle-KontoF
Source: pl.pak.3.dr	String found in binary or memory: https://passwords.google.comKonta
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comT
Source: es.pak.3.dr	String found in binary or memory: https://passwords.google.comcuenta
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://policies.google.com/
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: es.pak.3.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869?hl=es
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: Pinball.exe, Pinball.exe, 00000008.00000002.2703074661.0000000005896000.00000002.00000001.01000000.0000000B.sdmp, Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: de.pak.3.dr	String found in binary or memory: https://www.beispiel.de
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, te.pak.3.dr, zh-TW.pak.3.dr, bn.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: de.pak.3.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&HilfeVon
Source: hu.pak.3.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&S
Source: es-419.pak.3.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministrado
Source: es.pak.3.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionado
Source: lv.pak.3.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlP&al
Source: sk.pak.3.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlP&omocn
Source: pl.pak.3.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlPomo&cZarz
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.xml.3.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Pinball.exe, Pinball.exe, 00000006.00000002.3000073504.00000000067F2000.00000002.00000001.01000000.0000000D.sdmp, Newtonsoft.Json.dll.3.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Code function: 0_2_0040560C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040560C

Source: Pinball.exe

Process created: 65

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Code function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,

0_2_100010D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Code function: 0_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034F1
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 3_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		3_2_004034CC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Code function: 0_2_004073D5	0_2_004073D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Code function: 0_2_00406BFE	0_2_00406BFE
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 3_2_00406A88	3_2_00406A88
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 6_2_02F94F58	6_2_02F94F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 6_2_02F91049	6_2_02F91049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 6_2_05AA5F38	6_2_05AA5F38
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 6_2_05AA6808	6_2_05AA6808
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 6_2_05AA57F0	6_2_05AA57F0
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 6_2_05AA7B20	6_2_05AA7B20
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 6_2_05AA7B11	6_2_05AA7B11
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 6_2_067E2F88	6_2_067E2F88
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 8_2_01634F58	8_2_01634F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 9_2_02704F58	9_2_02704F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 10_2_021F4F58	10_2_021F4F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 10_2_021F3860	10_2_021F3860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 13_2_00934F58	13_2_00934F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 13_2_00933860	13_2_00933860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 15_2_014D4F58	15_2_014D4F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 15_2_014D3860	15_2_014D3860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 15_2_014D44C9	15_2_014D44C9
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 15_2_014D1049	15_2_014D1049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 18_2_02ED4F58	18_2_02ED4F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 18_2_02ED3860	18_2_02ED3860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 18_2_02ED1049	18_2_02ED1049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 24_2_00984F58	24_2_00984F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 24_2_00983860	24_2_00983860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 31_2_00B04F58	31_2_00B04F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 31_2_00B03865	31_2_00B03865
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 31_2_00B01049	31_2_00B01049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 35_2_00904F58	35_2_00904F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 35_2_00903860	35_2_00903860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 36_2_00C14F58	36_2_00C14F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 36_2_00C13860	36_2_00C13860

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\liteFirewall.dll 9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameinetc.dllF vs SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Ionic.Zip.dll.3.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.3.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.3.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: Pinball.exe.3.dr, Program.cs

Base64 encoded string: 'PbKYnAXFjmXMZd3NoJSLsM30ZbUHxux5Ujmpl/n9oZQR9xGOSDPZyamOb9997obt', 'SZAnxei/3m2LcNNbjWTpSqnOfmpY8dHs/ljzvygy50D/wxmy+bqOWrY/qZBB2/XZ0obYqlYv8ulp/VXeplnRA5KMax4BzSqkU7NvSwfjOOw4x+u1kTaylhH+P1PxOiaRcpVpr7Ttt/95waEjxOQYCz332qwO9ljMmlKednb8KYEUpEszW6I8jihe5piPLINt+d88UVG0dD1/QdRmzmTd5dlZZyP8ZeoseT9aGh9m2EN8W707IdNf2r+KacehhS5pQIr174Gclz7V4GAr9SIKL06GLWq0ew6wHablTf0Ce4xBKFdDnv0SMCYwO93u7fN1ylS1QDg3vH1TJm06pEpncStcr1DpgR5EJoS+K65VPwiaMNi2FhXcMjljOH2L3yvIwTKCcIIXJxgZKh8gmsLOmNQy2g4h+tiPBcmHjSbyXhg5QucTYIMgse3VKPcGqKqQm7Q1llpLedscAviZrCpmeLbqLUuFen21/8UHuZUx9moCvaUYmbXSesVSXmr3lppHD17QnTcYyfQGjhKnIyUcF+JsYrvjmlHE33sl5sYSTHVCplyElBOyWWLYIsvH+iBMIHXHfJoaR5PWjQmGSR6TGxY9OYuSXnQBwgL/a1pEGSni28wcBTYoMgQiGa4TBVbhXuArYzvSu+EsVURTMAP8IWwfzVIpiPF3fRKjh4N//xsfBeNu7Y5/DZbR6rSE4KnRN0SECRCqXD1dxKPyyMt1YrhkedlGHoSbCxwtESstU9h1AFr3gvlw6HpxTLbOhBeLh6jId7WcpaYR0Fwg03TPr8GfLPHprlCUHwoKMlpKeMszrwnoWdf60FdSFXuMw7Ee', 'mtSOo2SpyVk+k5CXwxIuHscbRBjkvR5KkQSdfOADDFKdVa+v9IkYBYBslnZACRdVd2ep5gJICvb8I3M36edRvk2YJS49oHCaG3FKaUjn3Ib/1Ab+LoBSh5iO/vRTe7m3JVKCUg61tMtb1oHCgww5IBGoGHTLxbBThOomXEkN+h/f18kP28pt5GqGNKnb6LzxhPKRR31waVUo2sj/tZPaBoENNkPTlMcjucNzdAAXeryjRPvoF3Cv3ufxoEpPtYbljlYTyDqLZDvuamgDYdP9l8mrFWr06YyUG1STwPkNG1CmiJ01NizwoIHJ1MHqPGE9xfcSAJ++wU0JeIYzz+zs9M233rFT6Ae2MboUuM0xonDGg6o4NX/7XSGq6/qNX2eAPGYhNWp5FfOdVyTje10lPoGY0VOYNiwh6SbJnfuPu2TnGA0vk6QvacGAISAb+1k7AMUjIa4ppPjl7XqeURGAysO3te7aoy8gtUIN98TwHfHz72aLTJLBHhtI1zPEHOgtnzEawwui7m/2shu9+9sqUOu99jGhpmbQhI8T4jS72SKG48MW187w77IL1PokOhX/fsEmTSW/a/UWG4+8S+y+vZGlxrUC/e27o8BT7jJozZZ+DdfudTInsRMjCESDvhUucNfgB5T+yMyp5KkESfrXelqnsVia83WxeVWyk1wy13g=', 'pobB+Al9MzJ2OyJsvBhglMHMiAobQmUnDZHcJBpTt9EZGUgZgx4UruobTzqMLmLDvms3Jax0Lu8EYu3shwLXZkZODYu4BtqU02uhiHGaFLu8rYbzh/lDj9yGB5C4pRtINU2a5P9ADw1IDi941W5/iO8DtNRvpgYv1w8Q09+Yc0VIT2Ztodcwo3KMB4ZS5q2h2ckNb7/EEmQqv5Gf6Y22rAG0GjCnoc4nlaVan/Rfn3DHXN3yl1i/TFY7RianEYH/hvQbx6dlWTJHk24bovFySbxsLtR7o4WDGDSvq4K/zihlA9TDvwVre/cXNd1CNrm4tvLJWxvVqPcyG5DPFPcqWw==', 'Mr4CNglnCLGWewiQ4qgO2B5oIL7myK5pGa8ocKfa+h6/yLC+f8N5fDrZ6tzEtbIp2J9mnYK0y1wlx8yQWqQcHnml3zRcz5hB6mxSdKeYV2s=', 'oGCeB6v7vge1PX2RGTLixRW1LgrGgYfWJAz65J6WcmJA4c45r6qgTRaPj9xx1XPd', 'pobB+Al9MzJ2OyJsvBhglPi8iw+pg04ckNac5EyhhZVfVc4b9ucE9OvDVCxMyC8iYxDAXZA1FhAfeh3gKD11CMOCz7VngOi/dBoPmOy9YZU=', 'Ih92IURmtMPF5AoxpkGC9YzytAiLSVr2xfeb8NC97GCiinjUhxciARDwPkJLURB3', 'mH6AunB3p5zt3lhf+am1iwskYv2gUXA5zKNJTFsPVbZEhXEPm8Gj0v0dzKwPrP6j', 'tX3OhIohnN7Cngcyjxd9LQj+/YZTiqWrRNEBOAcyntKJkxvSVQ0vcBYIA4Lopl8I', 'wv56Dsyu30UVtEG0/Hdi0uiWTSCflxuzhJBIJDsH2oGkAWpj8V+lWDuMkmlbKQnV', 'pobB+Al9MzJ2OyJsvBhglE/lxc0T9Gd6ojVRINAOPy9YEXk6X+H9uVjltDxVbuxS9hW3pfEVqP2sXtPna7Wmnw==', 'GX19rXg4s9SSWf/bNW82zAeuhscRevXAvK4zbbDBuKScDaY4IBO0yJI/mLdoO+y+XMF9YJnpyypz+duXmT7OLQ==', 'GX19rXg4s9SSWf/bNW82zAeuhscRevXAvK4zbbDBuKQHqU4v5Upg9FE5cHzTNfM13nAzYdfFgXZJKtmvyitkOA=='

Source: classification engine

Classification label: mal60.winEXE@266/99@0/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Code function: 0_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034F1
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 3_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		3_2_004034CC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Code function: 0_2_004048BC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004048BC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Code function: 0_2_00402173 CoCreateInstance,MultiByteToWideChar,

0_2_00402173

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

File created: C:\Users\user\AppData\Roaming\Pinball

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_Pinball_Logs_mainLog.txt

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

File created: C:\Users\user\AppData\Local\Temp\nsvCE85.tmp

Jump to behavior

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pinball

Jump to behavior

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Pinball.exe, 00000006.00000002.3000073504.00000000067F2000.00000002.00000001.01000000.0000000D.sdmp, Newtonsoft.Json.dll.3.dr
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\Pinball\Pinball.exeirewall.dlll.pdbC:\Users\user\AppData\Roaming\Pinball\Uninstall.exealll.dll source: setup.exe, 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\vulkan-1.dll.pdb source: vulkan-1.dll.3.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Pinball.exe, Pinball.exe, 00000006.00000002.3000073504.00000000067F2000.00000002.00000001.01000000.0000000D.sdmp, Newtonsoft.Json.dll.3.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bGlue.pdbd source: setup.exe, 00000003.00000002.2813211884.000000000061A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\vulkan-1.dll.pdb source: vulkan-1.dll.3.dr
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: Pinball.exe, Pinball.exe, 00000008.00000002.2787979524.00000000063B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\Pinball\swiftshader\Xilium.CefGlue.pdb source: setup.exe, 00000003.00000002.2813211884.000000000061A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\Pinball\obj\Release\Pinball.pdb source: Pinball.exe, 00000006.00000000.2494820553.0000000000D12000.00000002.00000001.01000000.00000009.sdmp, Pinball.exe.3.dr
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: Pinball.exe, 00000008.00000002.2787979524.00000000063B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\Pinball\swiftshader\Xilium.CefGlue.pdb@ source: setup.exe, 00000003.00000002.2813211884.000000000061A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: Pinball.exe, Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000003.00000002.2813211884.000000000061A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000003.00000002.2813211884.000000000061A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp

Source: Xilium.CefGlue.dll.3.dr

Static PE information: 0xD6DBC1CA [Fri Mar 24 08:50:18 2084 UTC]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

0_2_100010D0

Source: libEGL.dll.3.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.3.dr	Static PE information: section name: .voltbl
Source: libGLESv2.dll.3.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.3.dr	Static PE information: section name: .voltbl
Source: chrome_elf.dll.3.dr	Static PE information: section name: .00cfg
Source: chrome_elf.dll.3.dr	Static PE information: section name: .crthunk
Source: chrome_elf.dll.3.dr	Static PE information: section name: CPADinfo
Source: chrome_elf.dll.3.dr	Static PE information: section name: malloc_h
Source: libEGL.dll0.3.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.3.dr	Static PE information: section name: .00cfg
Source: libcef.dll.3.dr	Static PE information: section name: .00cfg
Source: libcef.dll.3.dr	Static PE information: section name: .rodata
Source: libcef.dll.3.dr	Static PE information: section name: CPADinfo
Source: libcef.dll.3.dr	Static PE information: section name: malloc_h

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 6_2_067E21C0 push es; retf	6_2_067E2246
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 13_2_009330ED pushfd ; iretd	13_2_009330F2
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 15_2_014D30ED pushfd ; iretd	15_2_014D30F2
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 18_2_02ED30ED pushfd ; iretd	18_2_02ED30F2
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 24_2_009830ED pushfd ; iretd	24_2_009830F2
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 31_2_00B030ED pushfd ; iretd	31_2_00B030F2
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 35_2_009030ED pushfd ; iretd	35_2_009030F2
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 36_2_00C130ED pushfd ; iretd	36_2_00C130F2

Source: Ionic.Zip.dll.3.dr

Static PE information: section name: .text entropy: 6.821349263259562

Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	File created: C:\Users\user\AppData\Local\Temp\nslCE97.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	File created: C:\Users\user\AppData\Local\Temp\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	File created: C:\Users\user\AppData\Local\Temp\nslCE97.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\libcef.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\huge[1].dat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\chrome_elf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\libEGL.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Pinball			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Pinball			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 5290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 5210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 21F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2470000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4470000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1770000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3310000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2D30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2A30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2B10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2880000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 5010000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2770000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2A00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2770000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4600000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 28F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 48F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2A30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 24D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 8F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2470000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4470000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2D20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 16F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 30C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2A30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4A30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1650000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 28B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2710000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3190000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2C90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2E40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4E40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 29B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 28E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 27F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2C80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 30B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2830000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 29F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 49F0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslCE97.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\libcef.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nslCE97.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\chrome_elf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\libEGL.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe TID: 6880	Thread sleep time: -600000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe TID: 5052	Thread sleep time: -120000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Code function: 0_2_00405B6F CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405B6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Code function: 0_2_00406724 FindFirstFileA,FindClose,	0_2_00406724
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Code function: 0_2_004027AA FindFirstFileA,	0_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 3_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	3_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 3_2_004066FF FindFirstFileA,FindClose,	3_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 3_2_004027AA FindFirstFileA,	3_2_004027AA

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Thread delayed: delay time: 120000			Jump to behavior

Source: Pinball.exe, 00000021.00000002.2896869674.0000000001257000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2829240178.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2829277192.0000000000606000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826606682.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826167613.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2829277192.0000000000606000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW?p
Source: Pinball.exe, 00000021.00000002.2896869674.0000000001257000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yH
Source: Pinball.exe, 00000006.00000002.3012247116.00000000069A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	API call chain: ExitProcess graph end node			graph_0-3373
Source: C:\Users\user\AppData\Local\Temp\setup.exe	API call chain: ExitProcess graph end node			graph_3-3648

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

0_2_100010D0

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Code function: 0_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034F1

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Directory queried: number of queries: 1551

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Windows Service	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	11 Process Injection	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	NTDS	12 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	11 Process Injection	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	3%	ReversingLabs
SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	100%	Avira	HEUR/AGEN.1343277

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	100%	Avira	HEUR/AGEN.1352426
C:\Users\user\AppData\Local\Temp\setup.exe	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\huge[1].dat	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Pinball\Del.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\liteFirewall.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nslCE97.tmp\INetC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nslCE97.tmp\nsProcess.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Del.exe	7%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\chrome_elf.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\libcef.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\log4net.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\swiftshader\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\swiftshader\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\vulkan-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\widevinecdmadapter.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	0%	URL Reputation	safe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	0%	URL Reputation	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	0%	URL Reputation	safe
https://chromeenterprise.google/policies/#BrowserSwitcherEnabled	0%	URL Reputation	safe
https://passwords.google.comGoogle	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist	0%	URL Reputation	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		high
http://spanchtoc.bond/22_2/huge.dat	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826167613.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=hiCtrl$1	hi.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=de&category=theme81https://myactivity.google.com/myactivity/?u	de.pak.3.dr	false		high
https://support.google.com/chrome/answer/6098869?hl=es	es.pak.3.dr	false		high
http://www.apache.org/licenses/LICEN	Pinball.exe	false		high
https://support.google.com/chrome/answer/6098869	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr	false		high
https://www.google.com/chrome/privacy/eula_text.html	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, te.pak.3.dr, zh-TW.pak.3.dr, bn.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr	false		high
https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionado	es.pak.3.dr	false		high
https://www.google.com/chrome/privacy/eula_text.htmlP&al	lv.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=plCtrl$1	pl.pak.3.dr	false		high
https://passwords.google.comcuenta	es.pak.3.dr	false		unknown
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp, log4net.xml.3.dr	false		high
https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?u	es.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=urCtrl$2	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=ja&category=theme81https://myactivity.google.com/myactivity/?u	ja.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=te&category=theme81https://myactivity.google.com/myactivity/?u	te.pak.3.dr	false		high
https://photos.google.com/settings?referrer=CHROME_NTP	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=pl&category=theme81https://myactivity.google.com/myactivity/?u	pl.pak.3.dr	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=elCtrl$1	el.pak.3.dr	false		high
https://passwords.google.com	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, sk.pak.3.dr, el.pak.3.dr	false		high
http://www.iana.org/assignments/multicast-addresses	log4net.xml.3.dr	false		high
https://github.com/JamesNK/Newtonsoft.Json/issues/652	Newtonsoft.Json.xml.3.dr	false		high
https://chrome.google.com/webstore?hl=sk&category=theme81https://myactivity.google.com/myactivity/?u	sk.pak.3.dr	false		high
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=bnCtrl$1	bn.pak.3.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Pinball.exe, 00000006.00000002.2612177500.0000000003488000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bageyou.xyz	Pinball.exe, 0000000A.00000002.2602798625.00000000024C7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://logging.apache.org/log4ne	Pinball.exe	false		high
https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/privacy/eula_text.htmlPomo&cZarz	pl.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=jaCtrl$1	ja.pak.3.dr	false		high
https://passwords.google.comCuenta	es-419.pak.3.dr	false		unknown
http://www.connectionstrings.com/	log4net.xml.3.dr	false		high
https://support.google.com/chromebook?p=app_intent	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	false		high
https://www.beispiel.de	de.pak.3.dr	false		unknown
https://chrome.google.com/webstore?hl=huCtrl$1	hu.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=lv&category=theme81https://myactivity.google.com/myactivity/?u	lv.pak.3.dr	false		high
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	false		high
https://www.google.com/chrome/privacy/eula_text.html&	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		high
http://logging.apache.org/log4j	log4net.xml.3.dr	false		high
https://www.google.com/chrome/privacy/eula_text.htmlT&r	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u	hi.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=el&category=theme81https://myactivity.google.com/myactivity/?u	el.pak.3.dr	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_Error	setup.exe, setup.exe, 00000003.00000000.2197898384.000000000040A000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 00000003.00000003.2495031022.0000000000679000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	false		high
https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=ukCtrl$1	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=lvCtrl$1	lv.pak.3.dr	false		high
http://api.install-stat.debug.world/clients/installs	Pinball.exe, 0000000A.00000002.2602798625.00000000024C7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.newtonsoft.com/jsonschema	Newtonsoft.Json.xml.3.dr	false		high
https://support.google.com/chrome/a/answer/9122284	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr	false		high
https://www.google.com/chrome/privacy/eula_text.htmlP&omocn	sk.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=deStrg$1	de.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=teCtrl$1	te.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=zh-CNCtrl$1	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		high
https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1	Pinball.exe, Pinball.exe, 00000008.00000002.2703074661.0000000005896000.00000002.00000001.01000000.0000000B.sdmp, Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, zh-TW.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=es-419Ctrl$1	es-419.pak.3.dr	false		high
http://spanchtoc.bond/22_2/huge.dat9	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2829240178.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826606682.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826167613.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.newtonsoft.com/json	Newtonsoft.Json.dll.3.dr	false		high
https://www.google.com/chrome/privacy/eula_text.html&HilfeVon	de.pak.3.dr	false		high
http://bageyou.xyz/c/g	Pinball.exe, 00000006.00000002.2612177500.0000000003197000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://api.install-stat.debug.world/clients/activity	Pinball.exe, 0000000A.00000002.2602798625.00000000024C7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://chrome.google.com/webstore?hl=zh-TWCtrl$1	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, zh-TW.pak.3.dr	false		high
http://spanchtoc.bond/22_2/huge.dat-	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2829240178.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826606682.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826167613.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.apache.org/).	Pinball.exe, Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp	false		high
http://spanchtoc.bond/22_2/huge.dati	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2829240178.00000000005DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826606682.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000003.2826167613.00000000005CE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://myactivity.google.com/	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	false		high
https://www.google.com/chrome/privacy/eula_text.html&S	hu.pak.3.dr	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	false	URL Reputation: safe	unknown
https://policies.google.com/	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=esCtrl$1	es.pak.3.dr	false		high
https://ejemplo.com.Se	es-419.pak.3.dr	false		unknown
http://logging.apache.org/log4net/schemas/log4net-events-1.2>	log4net.xml.3.dr	false		high
http://spanchtoc.bond/22_2/huge.dat/SILENTgetOK	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2829154967.0000000000598000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0	Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherEnabled	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore/category/extensions	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	false		high
https://chrome.google.com/webstore?hl=hu&category=theme81https://myactivity.google.com/myactivity/?u	hu.pak.3.dr	false		high
http://bageyou.xyz/c/g4	Pinball.exe, 00000006.00000002.2612177500.0000000003197000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/	Pinball.exe, Pinball.exe, 00000008.00000002.2685490382.0000000005852000.00000002.00000001.01000000.0000000B.sdmp	false		high
https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivit	es-419.pak.3.dr	false		high
https://passwords.google.comT	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://passwords.google.comGoogle	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, te.pak.3.dr, zh-TW.pak.3.dr, lv.pak.3.dr, bn.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, hu.pak.3.dr	false	URL Reputation: safe	unknown
http://james.newtonking.com/projects/json	Newtonsoft.Json.dll.3.dr	false	URL Reputation: safe	unknown
https://passwords.google.comKonta	pl.pak.3.dr	false		unknown
https://chrome.google.com/webstore?hl=skCtrl$1	sk.pak.3.dr	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	false	URL Reputation: safe	unknown
https://passwords.google.comGoogle-KontoF	de.pak.3.dr	false		unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	Pinball.exe, Pinball.exe, 00000006.00000002.3000073504.00000000067F2000.00000002.00000001.01000000.0000000D.sdmp, Newtonsoft.Json.dll.3.dr	false		high
https://chrome.google.com/webstore?hl=bn&category=theme81https://myactivity.google.com/myactivity/?u	bn.pak.3.dr	false		high
https://www.google.com/chrome/privacy/eula_text.htmlYar&d	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=viCtrl$1	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.faqs.org/rfcs/rfc3164.html.	log4net.xml.3.dr	false		high
http://ejemplo.com	es-419.pak.3.dr	false		unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist	setup.exe, 00000003.00000002.2813732712.0000000002877000.00000004.00000020.00020000.00000000.sdmp, de.pak.3.dr, te.pak.3.dr, zh-TW.pak.3.dr, es.pak.3.dr, lv.pak.3.dr, sk.pak.3.dr, pl.pak.3.dr, bn.pak.3.dr, es-419.pak.3.dr, hi.pak.3.dr, ja.pak.3.dr, el.pak.3.dr, hu.pak.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.45.251	unknown	United States		13335	CLOUDFLARENETUS	false
104.21.75.251	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427719
Start date and time:	2024-04-18 01:38:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe
Detection:	MAL
Classification:	mal60.winEXE@266/99@0/2
EGA Information:	Successful, ratio: 76.9%
HCA Information:	Successful, ratio: 99% Number of executed functions: 288 Number of non-executed functions: 55
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Connection to analysis system has been lost, crash info: Unknown
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Execution Graph export aborted for target Pinball.exe, PID 4324 because it is empty
Execution Graph export aborted for target Pinball.exe, PID 4552 because it is empty
Execution Graph export aborted for target Pinball.exe, PID 6080 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Simulations

Behavior and APIs

Time	Type	Description
01:39:44	API Interceptor	2x Sleep call for process: Pinball.exe modified
01:39:46	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Pinball C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
01:39:58	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Pinball C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.45.251	SenOg8gPgc.exe	Get hash	malicious	Unknown	Browse
104.21.75.251	qhtDkR9nh1.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://windowdefalerts-error0x21908-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	172.66.47.160
	https://windowdefalerts-error0x21904-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	172.66.44.151
	https://windowdefalerts-error0x21902-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	104.21.56.41
	https://groun-93ed.ehajdranrsuw.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://pub-ac902c48ff244e4fbf44f3e3296d093d.r2.dev/updatemypassword.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://nsjw.newf.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.21.50.103
	https://17apmic5.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	104.22.25.131
	http://office-site-documentations0ivbe2.powerappsportals.com	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://tronld2qi8x.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	172.67.208.186
	https://dhjfku7cwbnv1c.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	104.21.53.38
CLOUDFLARENETUS	https://windowdefalerts-error0x21908-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	172.66.47.160
	https://windowdefalerts-error0x21904-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	172.66.44.151
	https://windowdefalerts-error0x21902-alert-virus-detected.pages.dev/	Get hash	malicious	TechSupportScam	Browse	104.21.56.41
	https://groun-93ed.ehajdranrsuw.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://pub-ac902c48ff244e4fbf44f3e3296d093d.r2.dev/updatemypassword.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://nsjw.newf.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.21.50.103
	https://17apmic5.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	104.22.25.131
	http://office-site-documentations0ivbe2.powerappsportals.com	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://tronld2qi8x.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	172.67.208.186
	https://dhjfku7cwbnv1c.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	104.21.53.38

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\liteFirewall.dll	SenOg8gPgc.exe	Get hash	malicious	Unknown	Browse
	SenOg8gPgc.exe	Get hash	malicious	Unknown	Browse
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\nslCE97.tmp\INetC.dll	SenOg8gPgc.exe	Get hash	malicious	Unknown	Browse
	SenOg8gPgc.exe	Get hash	malicious	Unknown	Browse
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe	Get hash	malicious	Unknown	Browse
	Setup (1).exe	Get hash	malicious	Unknown	Browse
	Setup (1).exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.15071.2577.exe	Get hash	malicious	Unknown	Browse
	PmRXFyOFkf.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\huge[1].dat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	107369991
Entropy (8bit):	7.999806825810418
Encrypted:	true
SSDEEP:	3145728:llEYHWOjGd2Dc8gAuAC0CifHqc3iaJeWBmr3Z8FU:llEYHWOjGdSFgAD3p35+oU
MD5:	97D098FFE698F9400EF166FC53F86B4A
SHA1:	2EB3FEC5F328BE5DAD357E7E6C8477690049D8FF
SHA-256:	9E121A5D96AE758447894CBF721BB0D3C1E22C14149E50F2CE2B7F83FC8ECF5A
SHA-512:	592DD8ED50FFE9E44E37E9DE53547C92CCF19C276FD5F7868EE282CC1C5BD8A7A430E6999DF2AD81D809333E93E9F79207B4D30AAE3428B93945AFF4A1F421E1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8...........X............................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...X...........................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\liteFirewall.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	6.389604568119155
Encrypted:	false
SSDEEP:	1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
MD5:	165E1EF5C79475E8C33D19A870E672D4
SHA1:	965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
SHA-256:	9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
SHA-512:	CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SenOg8gPgc.exe, Detection: malicious, Browse Filename: SenOg8gPgc.exe, Detection: malicious, Browse Filename: 8ubQTzsAqG.exe, Detection: malicious, Browse Filename: 8ubQTzsAqG.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nslCE96.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe
File Type:	data
Category:	dropped
Size (bytes):	40189
Entropy (8bit):	4.593005556653929
Encrypted:	false
SSDEEP:	384:8K1X2xqmdsItvFCBSKBWsWpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkQ:862fFmSKBhGdCjW/lX1PfYM2X1
MD5:	21D1FD6E2A81C9594ABDE6ED11BAD2C9
SHA1:	B241116D7C42B256968960DD22D6D23A3BFB8A67
SHA-256:	8EA84BDDB8828242D77EA53F01C23310AACD721F05A6E52471EE996BF6E9A529
SHA-512:	FA0D52FBA40C06B0EBD28582D312D33D77F6EDDD5E3BA22E7C98ED011E35128FDEC7773E2412EECAB6DF79DE9BB109D334490BD784ACCB686F1A7A1C48D7A8D1
Malicious:	false
Preview:	.4......,...................t...t........4.......4..............................................................................................................................................................................................................................................................j.......,.../...5.......3.......................................................................................................................F.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nslCE97.tmp\INetC.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.668346578219837
Encrypted:	false
SSDEEP:	384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
MD5:	92EC4DD8C0DDD8C4305AE1684AB65FB0
SHA1:	D850013D582A62E502942F0DD282CC0C29C4310E
SHA-256:	5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
SHA-512:	581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SenOg8gPgc.exe, Detection: malicious, Browse Filename: SenOg8gPgc.exe, Detection: malicious, Browse Filename: 8ubQTzsAqG.exe, Detection: malicious, Browse Filename: 8ubQTzsAqG.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe, Detection: malicious, Browse Filename: Setup (1).exe, Detection: malicious, Browse Filename: Setup (1).exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.15071.2577.exe, Detection: malicious, Browse Filename: PmRXFyOFkf.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nslCE97.tmp\nsProcess.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	4.666004851298707
Encrypted:	false
SSDEEP:	48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
MD5:	FAA7F034B38E729A983965C04CC70FC1
SHA1:	DF8BDA55B498976EA47D25D8A77539B049DAB55E
SHA-256:	579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
SHA-512:	7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n\|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..\|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsy8A1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	358418282
Entropy (8bit):	6.971526136703513
Encrypted:	false
SSDEEP:	3145728:hTzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSsCV97n+:hnUs4tvaVzTD9R+
MD5:	75BAD26EAB420D0D8097C34BF3F7AECB
SHA1:	F8FD665F549D704861F312831E208338FD97F8AB
SHA-256:	906E87417A1E33E2A72DFD3DCF2F316A329626C3BA89E460C5DE39094A57039B
SHA-512:	54615C536C3EDAB57D7238C05CBB79AF85C006A2D396239EF5FF6D48A1ED4A9B4F4FE6A2A3DE271E2F5F39882E8E7012C121C6F76DEA6B9A3EB52B2A513715DF
Malicious:	false
Reputation:	unknown
Preview:	........,.......................H...........................................................................................................................................................................................................................................................e...i...........~...j.......................3.......................................................................................................................t....W..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\setup.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	107369991
Entropy (8bit):	7.999806825810418
Encrypted:	true
SSDEEP:	3145728:llEYHWOjGd2Dc8gAuAC0CifHqc3iaJeWBmr3Z8FU:llEYHWOjGdSFgAD3p35+oU
MD5:	97D098FFE698F9400EF166FC53F86B4A
SHA1:	2EB3FEC5F328BE5DAD357E7E6C8477690049D8FF
SHA-256:	9E121A5D96AE758447894CBF721BB0D3C1E22C14149E50F2CE2B7F83FC8ECF5A
SHA-512:	592DD8ED50FFE9E44E37E9DE53547C92CCF19C276FD5F7868EE282CC1C5BD8A7A430E6999DF2AD81D809333E93E9F79207B4D30AAE3428B93945AFF4A1F421E1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8...........X............................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...X...........................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\Del.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.622398838808078
Encrypted:	false
SSDEEP:	96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
MD5:	97D4D47D539CB8171BE2AEFD64C6EBB1
SHA1:	44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
SHA-256:	8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
SHA-512:	7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 7%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....(........0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#......0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	462336
Entropy (8bit):	6.803831500359682
Encrypted:	false
SSDEEP:	6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
MD5:	6DED8FCBF5F1D9E422B327CA51625E24
SHA1:	8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
SHA-256:	3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
SHA-512:	BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(.......0..2........r...p(....}.......}"....(........(.........(......r...p(....}.......}"....(........(......0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...rr!..p.{.....{.....B...(....*..0..A........{..

C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	574376
Entropy (8bit):	5.8881470355864725
Encrypted:	false
SSDEEP:	12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
MD5:	8F81C9520104B730C25D90A9DD511148
SHA1:	7CF46CB81C3B51965C1F78762840EB5797594778
SHA-256:	F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
SHA-512:	B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D.....{F.......-.....0...........-.r...ps....z.o......-.~.....~....X...+....b..

C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	561424
Entropy (8bit):	4.606896607960262
Encrypted:	false
SSDEEP:	6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
MD5:	928ED37DB61C1E98A2831C8C01F6157C
SHA1:	98103C2133EBDA28BE78BFE3E2D81D41924A23EE
SHA-256:	39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
SHA-512:	F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	350720
Entropy (8bit):	5.356667826133814
Encrypted:	false
SSDEEP:	3072:3Tpj4OB0rbVVHaqIlnhblNKGrb5nmdjkOOB3r1Josf+OMhERM8wHBumScNym+ry+:jpD+5V6qQbuWss+OM2e0mScOHgI
MD5:	161915D7FFED531ADF1F43791864D6C1
SHA1:	2C782F3EB33541149E3C86DD3F6B3E57980487FB
SHA-256:	3C8A5F82AE43FB72FCA9A0A54A8131DD964474A6B4D4BDC6B6DD795C88C05D62
SHA-512:	D02A66DAA42BAF8887C2ADB11193FA74E5345B42AC2D86E99D32176A57F4BBA36F7690EA9CA1B971B9C07EBCA3775BE369910E20795F70D80409C0CF211F64E7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n.f..............0.............B.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...h.... ...................... ..`.rsrc...............................@..@.reloc...............X..............@..B................$.......H....... ...(...........H...p............................................(....s....Z..(....,...(....(.....(......(......(............~........0..W.......(....".....(......,..o....-...o.....+...( .....o....&..(!...-...........o"....."...BZ.......%..A.......0..Q.......(....(........,..o....-...o.....+...( .....o....&.._...(!...-...........o"..............!. A.......0..V.......(....(......,..o....-.~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	270140
Entropy (8bit):	5.442873184713848
Encrypted:	false
SSDEEP:	3072:9Fi6z/VXzAf3ocAINRO3r1Josf+OMhERMJA9m+4wHBumSKyggIlPB:9xFSUI/s+OM2eKz4mSkgIlPB
MD5:	0B4AF70A9209DD25AB35D60B62BB5536
SHA1:	7C8985ED6D02CA5FACB4B535763952ADBB7B165E
SHA-256:	D8C59A6BD8D717FDB511C48155BEEA007698C6A19BFC8C7DF9D86DE83F073027
SHA-512:	CC425FD61D267FC8E60E21CA2BEFED8AE8E983F6FB455A07A30C07DA1DF7D57BE522013C273BCDC432F9E81544F9495722E9207A245D69A840B2F17F1A4F1D22
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8...........X............................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...X...........................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	875520
Entropy (8bit):	5.621956468920589
Encrypted:	false
SSDEEP:	12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
MD5:	B03C7F6072A0CB1A1D6A92EE7B82705A
SHA1:	6675839C5E266075E7E1812AD8E856A2468274DD
SHA-256:	F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
SHA-512:	19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(......(......(....^.(.......=...%...}....:.(......}....:.(......}....^.(.......>...%...}....:.(......}.....(.............0..,.......(....o.......3......... ....3.(....-.....0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..("..............+1...........4.......~.....~......(.....~....,..(#...-.(....-..(....+.r...ps$...z(..........b.r...p(%...~.....(....&*.r

C:\Users\user\AppData\Roaming\Pinball\cef.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1946739
Entropy (8bit):	7.989700491058983
Encrypted:	false
SSDEEP:	49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
MD5:	96AD47D78A70B33158961585D9154ECC
SHA1:	149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
SHA-256:	C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
SHA-512:	6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
Malicious:	false
Reputation:	unknown
Preview:	........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)\|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....)..........F....]....3....v........v...................$... ....!8..."....#....$....%*..

C:\Users\user\AppData\Roaming\Pinball\cef_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	214119
Entropy (8bit):	7.955451054538398
Encrypted:	false
SSDEEP:	6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
MD5:	391F512173ECEC14EB5CE31299858DE1
SHA1:	3A5A41A190C1FB682F9D9C84F500FF50308617FC
SHA-256:	E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
SHA-512:	44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
Malicious:	false
Reputation:	unknown
Preview:	........................#.b...&.....:.g....7.....7.....7.....7\|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.\|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U\|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

C:\Users\user\AppData\Roaming\Pinball\cef_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	290001
Entropy (8bit):	7.9670215100557735
Encrypted:	false
SSDEEP:	6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
MD5:	BF59A047984EAFC79E40B0011ED4116D
SHA1:	DF747125F31F3FF7E3DFE5849F701C3483B32C5E
SHA-256:	CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
SHA-512:	85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
Malicious:	false
Reputation:	unknown
Preview:	........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.\|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF\|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N....N.+...Nv,...N.-...N;r...N.\|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

C:\Users\user\AppData\Roaming\Pinball\cef_extensions.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1305142
Entropy (8bit):	7.99463351416358
Encrypted:	true
SSDEEP:	24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
MD5:	20DDA02AF522924E45223D7262D0E1ED
SHA1:	378E88033A7083AAC24E6CD2144F7BC706F00837
SHA-256:	8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
SHA-512:	E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
Malicious:	false
Reputation:	unknown
Preview:	........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..\|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

C:\Users\user\AppData\Roaming\Pinball\cef_sandbox.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	87182312
Entropy (8bit):	5.477474753748716
Encrypted:	false
SSDEEP:	196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
MD5:	FFD456A85E341D430AFA0C07C1068538
SHA1:	59394310B45F7B2B2882D55ADD9310C692C7144F
SHA-256:	F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
SHA-512:	EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
Malicious:	false
Reputation:	unknown
Preview:	!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

C:\Users\user\AppData\Roaming\Pinball\chrome_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	656926
Entropy (8bit):	7.964275415195004
Encrypted:	false
SSDEEP:	12288:fI3Hdjzgsz5B0GDJQrnKs8SNP+QSsSilRBdNze0Vc+gIXgt4z8oO0TehEr7:g397zEEmPLSOdNze05gUgmz8oO0TOW
MD5:	3404DD2B0E63D9418F755430336C7164
SHA1:	0D7D8540FDC056BB741D9BAF2DC7A931C517C471
SHA-256:	0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
SHA-512:	685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
Malicious:	false
Reputation:	unknown
Preview:	..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.\|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<\|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

C:\Users\user\AppData\Roaming\Pinball\chrome_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1017158
Entropy (8bit):	7.951759131641406
Encrypted:	false
SSDEEP:	24576:m3Tl5zLmmibkFR8+mZRUumegvQtc05UwvdAbatzk6edhOLoe9:m3Tl53mNbkFRJmHURhQW05JvdlzkjrOH
MD5:	3FBF52922588A52245DC927BCC36DBB3
SHA1:	EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
SHA-256:	C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
SHA-512:	682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
Malicious:	false
Reputation:	unknown
Preview:	..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@\|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

C:\Users\user\AppData\Roaming\Pinball\chrome_elf.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1174528
Entropy (8bit):	6.475826085865088
Encrypted:	false
SSDEEP:	24576:I3lp87thPKuxyj+tWF8lCwOvzr90p5OM3:FauY+tWF8b5OM3
MD5:	207AC4BE98A6A5A72BE027E0A9904462
SHA1:	D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
SHA-256:	2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
SHA-512:	BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2106216
Entropy (8bit):	6.4563314852745375
Encrypted:	false
SSDEEP:	49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
MD5:	1C9B45E87528B8BB8CFA884EA0099A85
SHA1:	98BE17E1D324790A5B206E1EA1CC4E64FBE21240
SHA-256:	2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
SHA-512:	B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4127200
Entropy (8bit):	6.577665867424953
Encrypted:	false
SSDEEP:	49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd
MD5:	3B4647BCB9FEB591C2C05D1A606ED988
SHA1:	B42C59F96FB069FD49009DFD94550A7764E6C97C
SHA-256:	35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
SHA-512:	00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\devtools_resources.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	2205743
Entropy (8bit):	7.923318114432295
Encrypted:	false
SSDEEP:	49152:qHlbrhXKMVp/DVegxF2Xe1WFG4F3KMWB7rwz3yY+23:qFnhXKwggr0cWEgaMi7rwrw23
MD5:	54D4E14BFF05C268248CAB2EEDFB61DD
SHA1:	33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
SHA-256:	2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
SHA-512:	5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
Malicious:	false
Reputation:	unknown
Preview:	........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[....[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\...>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

C:\Users\user\AppData\Roaming\Pinball\icudtl.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	10717392
Entropy (8bit):	6.282534560973548
Encrypted:	false
SSDEEP:	196608:hpgPBhORiuQwCliXUxbblHa93Whli6Z86WOH:n8wkDliXUxbblHa93Whli6Z8I
MD5:	E0F1AD85C0933ECCE2E003A2C59AE726
SHA1:	A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
SHA-256:	F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
SHA-512:	714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
Malicious:	false
Reputation:	unknown
Preview:	...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW..K..P...L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

C:\Users\user\AppData\Roaming\Pinball\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	377856
Entropy (8bit):	6.602916265542373
Encrypted:	false
SSDEEP:	6144:oJ4tr7XVkL/2qBCOeRMIKVpqtXmzKwdo23zqyU73omBT095OiZH:2NfBCOeR/KVpqtio23zqyOsOo
MD5:	8BC03B20348D4FEBE6AEDAA32AFBBF47
SHA1:	B1843C83808D9C8FBA32181CD3A033C66648C685
SHA-256:	CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
SHA-512:	3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............\|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6635008
Entropy (8bit):	6.832077162910607
Encrypted:	false
SSDEEP:	196608:HrmMLEFtac5bM68f8Oi3WjH13GzSW3430aTwQCe:a+ktad68f8Oi3oH13GztokaTwbe
MD5:	63988D35D7AB96823B5403BE3C110F7F
SHA1:	8CC4D3F4D2F1A2285535706961A26D02595AF55C
SHA-256:	E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
SHA-512:	D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\libcef.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	176517632
Entropy (8bit):	7.025874989859836
Encrypted:	false
SSDEEP:	1572864:VSuR7JVHywK/Sf1rWID4Pu2v8zgguHWJEqM90Hw4DclJkBLrWXmfnehuWNIPKtlL:MCYRNIPKYTFBhfmOS9KBaVz
MD5:	F5259CC7721CA2BCC8AC97B76B1D3C7A
SHA1:	C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
SHA-256:	3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
SHA-512:	2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.\|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..\|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\libcef.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	40258
Entropy (8bit):	4.547436244061504
Encrypted:	false
SSDEEP:
MD5:	310744A0E10BD9C2C6F50C525E4447F9
SHA1:	9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
SHA-256:	E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
SHA-512:	6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
Malicious:	false
Reputation:	unknown
Preview:	!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N\|..N\|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h..h..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

C:\Users\user\AppData\Roaming\Pinball\locales\af.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	470498
Entropy (8bit):	5.409080468053459
Encrypted:	false
SSDEEP:
MD5:	64F46DC20A140F2FA3D4677E7CD85DD1
SHA1:	5A4102E3E34C1360F833507A48E61DFD31707377
SHA-256:	BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
SHA-512:	F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
Malicious:	false
Reputation:	unknown
Preview:	........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.\|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

C:\Users\user\AppData\Roaming\Pinball\locales\am.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	763010
Entropy (8bit):	4.909167677028143
Encrypted:	false
SSDEEP:
MD5:	3B0D0F3EC195A0796A6E2FAB0C282BFB
SHA1:	6FCFCD102DE06A0095584A0186BD307AA49E49BD
SHA-256:	F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
SHA-512:	CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
Malicious:	false
Reputation:	unknown
Preview:	........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...\|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....\|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....\|...........$.............................1.....}.........................................Z.................\|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2....................+....",.....,

C:\Users\user\AppData\Roaming\Pinball\locales\ar.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	838413
Entropy (8bit):	4.920788245468804
Encrypted:	false
SSDEEP:
MD5:	C70B71B05A8CA5B8243C951B96D67453
SHA1:	DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
SHA-256:	5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
SHA-512:	E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.\|...w.....y.....z.....\|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).........z..............t+.....,....{,.....,....--

C:\Users\user\AppData\Roaming\Pinball\locales\bg.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	869469
Entropy (8bit):	4.677916300869337
Encrypted:	false
SSDEEP:
MD5:	12A9400F521EC1D3975257B2061F5790
SHA1:	100EA691E0C53B240C72EAEC15C84A686E808067
SHA-256:	B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
SHA-512:	31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
Malicious:	false
Reputation:	unknown
Preview:	........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

C:\Users\user\AppData\Roaming\Pinball\locales\bn.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1118348
Entropy (8bit):	4.2989199535081895
Encrypted:	false
SSDEEP:
MD5:	89A24AF99D5592AB8964B701F13E1706
SHA1:	2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
SHA-256:	5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
SHA-512:	60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
Malicious:	false
Reputation:	unknown
Preview:	........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).........6.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

C:\Users\user\AppData\Roaming\Pinball\locales\ca.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	537139
Entropy (8bit):	5.397688491907634
Encrypted:	false
SSDEEP:
MD5:	37B54705BD9620E69E7E9305CDFAC7AB
SHA1:	D9059289D5A4CAB287F1F877470605ED6BBDA2C8
SHA-256:	98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
SHA-512:	42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
Malicious:	false
Reputation:	unknown
Preview:	........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....\|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................\|...........".....>.

C:\Users\user\AppData\Roaming\Pinball\locales\cs.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	545011
Entropy (8bit):	5.844949195905198
Encrypted:	false
SSDEEP:
MD5:	65A2C2A73232AB1073E44E0FB6310A5F
SHA1:	F3158AA527538819C93F57E2C778198A94416C98
SHA-256:	E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
SHA-512:	20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....\|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................\|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

C:\Users\user\AppData\Roaming\Pinball\locales\da.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	496165
Entropy (8bit):	5.446061543230436
Encrypted:	false
SSDEEP:
MD5:	A44EC6AAA456A6129FD820CA75E968BE
SHA1:	9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
SHA-256:	F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
SHA-512:	947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
Malicious:	false
Reputation:	unknown
Preview:	........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}."........../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q..................................q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

C:\Users\user\AppData\Roaming\Pinball\locales\de.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	534726
Entropy (8bit):	5.49306456316532
Encrypted:	false
SSDEEP:
MD5:	49CA708EBB7A4913C36F7461F094886B
SHA1:	13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
SHA-256:	8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
SHA-512:	6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...\|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

C:\Users\user\AppData\Roaming\Pinball\locales\el.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	950999
Entropy (8bit):	4.76377388695373
Encrypted:	false
SSDEEP:
MD5:	9CBC320E39CFF7C29F61BD367C0BF3BB
SHA1:	2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
SHA-256:	E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
SHA-512:	F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
Malicious:	false
Reputation:	unknown
Preview:	........)$..e.H...h.P...i.X...j.b...k.q...l.\|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....\|&.....&.....'.....'....;(....t(.....(....M).....)....;....h....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

C:\Users\user\AppData\Roaming\Pinball\locales\en-GB.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	430665
Entropy (8bit):	5.517246002357965
Encrypted:	false
SSDEEP:
MD5:	0F1E2BC597771A8DB11D1D3AC59B84F3
SHA1:	C1F782C550AC733852C6BED9AD62AB79FC004049
SHA-256:	E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
SHA-512:	07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
Malicious:	false
Reputation:	unknown
Preview:	.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[............................V.....a................l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

C:\Users\user\AppData\Roaming\Pinball\locales\en-US.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	434598
Entropy (8bit):	5.509004494756697
Encrypted:	false
SSDEEP:
MD5:	FEAB603B4C7520CCFA84D48B243B1EC0
SHA1:	E04138F1C2928D8EECE6037025B4DA2995F13CB4
SHA-256:	C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
SHA-512:	E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...\|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

C:\Users\user\AppData\Roaming\Pinball\locales\es-419.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	524728
Entropy (8bit):	5.377464936206393
Encrypted:	false
SSDEEP:
MD5:	32A59B6D9C8CA99FBD77CAA2F586509A
SHA1:	7E8356D940D4D4CC2E673460483656915AA59893
SHA-256:	AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
SHA-512:	860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
Malicious:	false
Reputation:	unknown
Preview:	........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....\|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

C:\Users\user\AppData\Roaming\Pinball\locales\es.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	523181
Entropy (8bit):	5.356449408331279
Encrypted:	false
SSDEEP:
MD5:	3D1720FE1D801D54420438A54CBE1547
SHA1:	8B1B0735AE0E473858C59C54111697609831D65A
SHA-256:	AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
SHA-512:	C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
Malicious:	false
Reputation:	unknown
Preview:	........5$..e.`...h.h...i.p...j.\|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....\|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z................f.....{...........o.................g...........+.....P.................8.....N.................".....1......................@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

C:\Users\user\AppData\Roaming\Pinball\locales\et.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	475733
Entropy (8bit):	5.456553040437113
Encrypted:	false
SSDEEP:
MD5:	C00D66D3FD4FD9D777949E2F115F11FB
SHA1:	A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
SHA-256:	26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
SHA-512:	E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
Malicious:	false
Reputation:	unknown
Preview:	........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...\|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

C:\Users\user\AppData\Roaming\Pinball\locales\fa.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	773397
Entropy (8bit):	5.04618630633187
Encrypted:	false
SSDEEP:
MD5:	C998140F7970B81117B073A87430A748
SHA1:	8A6662C3AABDAC68083A4D00862205689008110C
SHA-256:	182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
SHA-512:	5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...\|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....\|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M....p.....*....n+.....+.....+....d,.....-....P-....x-

C:\Users\user\AppData\Roaming\Pinball\locales\fi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	483378
Entropy (8bit):	5.428549632880935
Encrypted:	false
SSDEEP:
MD5:	1CFD31A6B740D95E4D5D53432743EBF1
SHA1:	20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
SHA-256:	F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
SHA-512:	C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...\|.b...}.t.....\|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

C:\Users\user\AppData\Roaming\Pinball\locales\fil.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	546749
Entropy (8bit):	5.197094281578282
Encrypted:	false
SSDEEP:
MD5:	6EDA0CD3C7D513AAB9856EC504C7D16F
SHA1:	BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
SHA-256:	3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
SHA-512:	47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....\|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

C:\Users\user\AppData\Roaming\Pinball\locales\fr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	568277
Entropy (8bit):	5.380723339968972
Encrypted:	false
SSDEEP:
MD5:	D185162DF4CAC9DCE7D70926099D1CF1
SHA1:	46594ADB3FC06A090675CA48FFA943E299874BBD
SHA-256:	E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
SHA-512:	987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
Malicious:	false
Reputation:	unknown
Preview:	.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

C:\Users\user\AppData\Roaming\Pinball\locales\gu.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1103776
Entropy (8bit):	4.336526106451521
Encrypted:	false
SSDEEP:
MD5:	44F704DB17F0203FA5195DC4572C946C
SHA1:	205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
SHA-256:	4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
SHA-512:	3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
Malicious:	false
Reputation:	unknown
Preview:	........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...\|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....\|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....\|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....\|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....\|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

C:\Users\user\AppData\Roaming\Pinball\locales\he.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	681555
Entropy (8bit):	4.658620623200349
Encrypted:	false
SSDEEP:
MD5:	E75086A24ECAA25CD18D547AB041C65A
SHA1:	C88CE46E6321E4A21032308DFD72C272FB267DBD
SHA-256:	55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
SHA-512:	01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....\|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

C:\Users\user\AppData\Roaming\Pinball\locales\hi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1167065
Entropy (8bit):	4.308980564019689
Encrypted:	false
SSDEEP:
MD5:	1FF8A0B82218A956D2701A5E4BFA84EF
SHA1:	56BB8218963E14ADCC435F2455891F3A0453D053
SHA-256:	62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
SHA-512:	3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....\|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y..........}...........;........................................[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6..........*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

C:\Users\user\AppData\Roaming\Pinball\locales\hr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	526575
Entropy (8bit):	5.518614920030561
Encrypted:	false
SSDEEP:
MD5:	0BD2F9847C151F9A6FC0D59A0074770C
SHA1:	EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
SHA-256:	5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
SHA-512:	0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
Malicious:	false
Reputation:	unknown
Preview:	........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...\|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

C:\Users\user\AppData\Roaming\Pinball\locales\hu.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	566819
Entropy (8bit):	5.6387082185760935
Encrypted:	false
SSDEEP:
MD5:	4C27A1C79AB9A058C0A7DFFD22134AFD
SHA1:	5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
SHA-256:	AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
SHA-512:	0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.............................................".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

C:\Users\user\AppData\Roaming\Pinball\locales\id.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	466959
Entropy (8bit):	5.379636778781472
Encrypted:	false
SSDEEP:
MD5:	1466C484179769A2263542E943742E59
SHA1:	18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
SHA-256:	C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
SHA-512:	ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
Malicious:	false
Reputation:	unknown
Preview:	........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....\|.......................C.....b.....r...........1.....h.

C:\Users\user\AppData\Roaming\Pinball\locales\it.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	522800
Entropy (8bit):	5.284113957149261
Encrypted:	false
SSDEEP:
MD5:	7767A70358D0AE6D408FF979DF9B2CD4
SHA1:	9C57A5B068DC12AAF1591778DEF5D3696377EDAB
SHA-256:	672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
SHA-512:	913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
Malicious:	false
Reputation:	unknown
Preview:	........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2..................................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x..............................................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

C:\Users\user\AppData\Roaming\Pinball\locales\ja.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	634636
Entropy (8bit):	5.718480148171718
Encrypted:	false
SSDEEP:
MD5:	4A4AF69546DCF65F2D722A574E221BEA
SHA1:	EE51613F111CF5B06F5605B629952EFFE0350870
SHA-256:	7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
SHA-512:	0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
Malicious:	false
Reputation:	unknown
Preview:	........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...\|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U................d.....z....."................?...........X.................`.................@.................g............ ..... ..... .....

C:\Users\user\AppData\Roaming\Pinball\locales\kn.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1256908
Entropy (8bit):	4.247594585839553
Encrypted:	false
SSDEEP:
MD5:	6A41A5AB03A22BDAEC7985B9A75EC11A
SHA1:	6BB02DF557BD6522E02FE026C0243BEB9332B2E5
SHA-256:	E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
SHA-512:	BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
Malicious:	false
Reputation:	unknown
Preview:	........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...\|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[......................................................................u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N...............,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

C:\Users\user\AppData\Roaming\Pinball\locales\ko.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	532715
Entropy (8bit):	6.0824169765918725
Encrypted:	false
SSDEEP:
MD5:	5FD9942F57FFC499481947DB0C3FDFA7
SHA1:	4D60AB21305902877467FF6151C1B7AB12553AAE
SHA-256:	09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
SHA-512:	97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
Malicious:	false
Reputation:	unknown
Preview:	........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...\|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

C:\Users\user\AppData\Roaming\Pinball\locales\lt.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	573015
Entropy (8bit):	5.63016577624216
Encrypted:	false
SSDEEP:
MD5:	8745B87D09D9ECC1112C60F5DD934034
SHA1:	2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
SHA-256:	D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
SHA-512:	27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
Malicious:	false
Reputation:	unknown
Preview:	........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

C:\Users\user\AppData\Roaming\Pinball\locales\lv.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	570683
Entropy (8bit):	5.624052036286866
Encrypted:	false
SSDEEP:
MD5:	E16B0B814074ACBD3A72AF677AC7BE84
SHA1:	10744490B3E40BEB939B3FDCA411075A85A34794
SHA-256:	46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
SHA-512:	70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
Malicious:	false
Reputation:	unknown
Preview:	........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...\|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................\|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

C:\Users\user\AppData\Roaming\Pinball\locales\ml.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1307271
Entropy (8bit):	4.279854356980692
Encrypted:	false
SSDEEP:
MD5:	309E068B4E15157486D095301370B234
SHA1:	D962CDAF9361767045A928966F4323EAD22D9B37
SHA-256:	4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
SHA-512:	6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
Malicious:	false
Reputation:	unknown
Preview:	........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...\|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................\|............ ..... .....!.....!....".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....)..........*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....\|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

C:\Users\user\AppData\Roaming\Pinball\locales\mr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1075591
Entropy (8bit):	4.313573412022857
Encrypted:	false
SSDEEP:
MD5:	69C36C23D6D9841F4362FF3A0F86CFDF
SHA1:	C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
SHA-256:	6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
SHA-512:	8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).........y.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

C:\Users\user\AppData\Roaming\Pinball\locales\ms.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	489457
Entropy (8bit):	5.250540323172458
Encrypted:	false
SSDEEP:
MD5:	A1253E64F8910162B15B56883798E3C0
SHA1:	68D402D94D2145704DC3760914BF616CC71FC65D
SHA-256:	E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
SHA-512:	ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
Malicious:	false
Reputation:	unknown
Preview:	........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...\|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

C:\Users\user\AppData\Roaming\Pinball\locales\nb.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	476208
Entropy (8bit):	5.4272499712806965
Encrypted:	false
SSDEEP:
MD5:	622ED80836E0EF3F949ED8A379CBE6DF
SHA1:	9A94CD80E747B88582470EF49B7337B9E5DE6C28
SHA-256:	560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
SHA-512:	950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
Malicious:	false
Reputation:	unknown
Preview:	........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....\|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

C:\Users\user\AppData\Roaming\Pinball\locales\nl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	491139
Entropy (8bit):	5.362822162782947
Encrypted:	false
SSDEEP:
MD5:	C8378A81039DB6943F97286CC8C629F1
SHA1:	758D9AB331C394709F097361612C6D44BDE4E8FE
SHA-256:	318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
SHA-512:	6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
Malicious:	false
Reputation:	unknown
Preview:	.........$..e....h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................#..........1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................\|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

C:\Users\user\AppData\Roaming\Pinball\locales\pl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	550453
Entropy (8bit):	5.757462673735937
Encrypted:	false
SSDEEP:
MD5:	80C5893068C1D6CE9AEF23525ECAD83C
SHA1:	A2A7ADEE70503771483A2500786BF0D707B3DF6B
SHA-256:	0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
SHA-512:	3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
Malicious:	false
Reputation:	unknown
Preview:	........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

C:\Users\user\AppData\Roaming\Pinball\locales\pt-BR.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	516256
Entropy (8bit):	5.426294949123783
Encrypted:	false
SSDEEP:
MD5:	3BA426E91C34E1C33F13912974835F7D
SHA1:	467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
SHA-256:	CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
SHA-512:	824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
Malicious:	false
Reputation:	unknown
Preview:	........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...\|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

C:\Users\user\AppData\Roaming\Pinball\locales\pt-PT.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	518861
Entropy (8bit):	5.4029194034596575
Encrypted:	false
SSDEEP:
MD5:	4D7D724BE592BD0280ED28388EAA8D43
SHA1:	8E3C46B77639EB480A90AD27383FBB14C4176960
SHA-256:	4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
SHA-512:	D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
Malicious:	false
Reputation:	unknown
Preview:	........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...\|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....\|...........J.......

C:\Users\user\AppData\Roaming\Pinball\locales\ro.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	537125
Entropy (8bit):	5.4566742297332596
Encrypted:	false
SSDEEP:
MD5:	4F1C0A8632218F6FEF6BAB0917BEB84F
SHA1:	05E497C8525CB1ADE6A0DAEFE09370EC45176E35
SHA-256:	9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
SHA-512:	A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
Malicious:	false
Reputation:	unknown
Preview:	........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

C:\Users\user\AppData\Roaming\Pinball\locales\ru.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	878725
Entropy (8bit):	4.848685093578222
Encrypted:	false
SSDEEP:
MD5:	3A3D0D865A78399306924D3ED058274E
SHA1:	AA1A42DB6021666B2297A65094D29978792CE29B
SHA-256:	EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
SHA-512:	ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
Malicious:	false
Reputation:	unknown
Preview:	.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....\|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]..........+....$+.....+.....,.....-

C:\Users\user\AppData\Roaming\Pinball\locales\sk.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	553886
Entropy (8bit):	5.812150703289796
Encrypted:	false
SSDEEP:
MD5:	A9656846F66A36BB399B65F7B702B47D
SHA1:	4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
SHA-256:	02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
SHA-512:	7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
Malicious:	false
Reputation:	unknown
Preview:	........5$..e.`...h.h...i.\|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....\|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

C:\Users\user\AppData\Roaming\Pinball\locales\sl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	532410
Entropy (8bit):	5.486224954097277
Encrypted:	false
SSDEEP:
MD5:	BE49BB186EF62F55E27FF6B5FD5933F4
SHA1:	84CFD05C52A09B4E6FA62ADCAF71585538CF688E
SHA-256:	833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
SHA-512:	1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....\|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

C:\Users\user\AppData\Roaming\Pinball\locales\sr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	818089
Entropy (8bit):	4.779985663253385
Encrypted:	false
SSDEEP:
MD5:	AFA2DFBA3BD71FE0307BFFB647CDCD98
SHA1:	CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
SHA-256:	1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
SHA-512:	CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
Malicious:	false
Reputation:	unknown
Preview:	........=$\|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...\|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........\|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

C:\Users\user\AppData\Roaming\Pinball\locales\sv.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	479512
Entropy (8bit):	5.541069475898216
Encrypted:	false
SSDEEP:
MD5:	09592A0D35100CD9707C278C9FFC7618
SHA1:	B23EEF11D7521721A7D6742202209E4FE0539566
SHA-256:	9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
SHA-512:	E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.\|...t.....v.....w.....y.....z.....\|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................\|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

C:\Users\user\AppData\Roaming\Pinball\locales\sw.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	504856
Entropy (8bit):	5.34516819438501
Encrypted:	false
SSDEEP:
MD5:	9E038A0D222055FED6F1883992DCA5A8
SHA1:	8FA17648492D7F093F89E8E98BF29C3725E3B4B5
SHA-256:	DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
SHA-512:	FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
Malicious:	false
Reputation:	unknown
Preview:	........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

C:\Users\user\AppData\Roaming\Pinball\locales\ta.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1298313
Entropy (8bit):	4.058495187693592
Encrypted:	false
SSDEEP:
MD5:	36104CB0D5E26E0BBB313E529C14F4B4
SHA1:	69A509DEE8419DA719DCF6DE78BFE0A6737508C5
SHA-256:	DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
SHA-512:	D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
Malicious:	false
Reputation:	unknown
Preview:	.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4..........*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

C:\Users\user\AppData\Roaming\Pinball\locales\te.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1199612
Entropy (8bit):	4.314031920337284
Encrypted:	false
SSDEEP:
MD5:	98714389748A98ECC536CD2F17859BDF
SHA1:	07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
SHA-256:	8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
SHA-512:	38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
Malicious:	false
Reputation:	unknown
Preview:	........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...\|.]...}.o.....w.....\|.......................................................................X...........J...........\|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....$....k$.....%.....&....6'.....'.....(.....)........._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

C:\Users\user\AppData\Roaming\Pinball\locales\th.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1008989
Entropy (8bit):	4.356501290091745
Encrypted:	false
SSDEEP:
MD5:	56F29DE3465795E781A52FCF736BBE08
SHA1:	EAA406E5ED938468760A29D18C8C3F16CF142472
SHA-256:	529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
SHA-512:	519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
Malicious:	false
Reputation:	unknown
Preview:	........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...\|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....\|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....)...............+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

C:\Users\user\AppData\Roaming\Pinball\locales\tr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	515329
Entropy (8bit):	5.616482888977033
Encrypted:	false
SSDEEP:
MD5:	46CA9EE922C3C175DE466066F40B29CE
SHA1:	5563E236A15CD9CC44AE859165DF1E4E722936C7
SHA-256:	BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
SHA-512:	45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
Malicious:	false
Reputation:	unknown
Preview:	........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...\|.\|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

C:\Users\user\AppData\Roaming\Pinball\locales\uk.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	876131
Entropy (8bit):	4.88404350774067
Encrypted:	false
SSDEEP:
MD5:	1365ABDD1EFB44720EA3975E4A472530
SHA1:	8421FC4905C592EB1269C5D524AA46866D617D3C
SHA-256:	29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
SHA-512:	2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...\|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........\|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

C:\Users\user\AppData\Roaming\Pinball\locales\ur.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	765853
Entropy (8bit):	5.17061834928747
Encrypted:	false
SSDEEP:
MD5:	3FED15E64BEAFBA75DE61B08A45AE106
SHA1:	E24953271D8C0254AD011D3A65B2C2FA57903681
SHA-256:	B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
SHA-512:	3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
Malicious:	false
Reputation:	unknown
Preview:	........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....\|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s............................p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3..............]+.....+.....,....F,.....,....z-.....-

C:\Users\user\AppData\Roaming\Pinball\locales\vi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	609259
Entropy (8bit):	5.796202390024141
Encrypted:	false
SSDEEP:
MD5:	CD741C24AF7597E0DC11069D3AC324E0
SHA1:	2A883DFBCF48D5093D70D4B77BBFFFA521287334
SHA-256:	13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
SHA-512:	6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r....s.;...t.D...v.Y...w.f...y.l...z.{...\|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._..................................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

C:\Users\user\AppData\Roaming\Pinball\locales\zh-CN.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	441207
Entropy (8bit):	6.685712707138377
Encrypted:	false
SSDEEP:
MD5:	99E6ACFB46923C4F8B29058E9EE6166B
SHA1:	AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
SHA-256:	9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
SHA-512:	4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
Malicious:	false
Reputation:	unknown
Preview:	.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....\|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................\|.......................x.

C:\Users\user\AppData\Roaming\Pinball\locales\zh-TW.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	439630
Entropy (8bit):	6.6906570508767995
Encrypted:	false
SSDEEP:
MD5:	BB7C995F257B9125457381BB01856D72
SHA1:	21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
SHA-256:	F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
SHA-512:	5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
Malicious:	false
Reputation:	unknown
Preview:	.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....\|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

C:\Users\user\AppData\Roaming\Pinball\log4net.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	275968
Entropy (8bit):	5.778490068583466
Encrypted:	false
SSDEEP:
MD5:	7EA1429E71D83A1CCAA0942C4D7F1C41
SHA1:	4CE6ACF4D735354B98F416B3D94D89AF0611E563
SHA-256:	EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
SHA-512:	91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>....?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}.......0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4.............//........{...."..}......{........0..4..........%...(5....-.~....r?..p(....+...}.......,..(6............')........{......{...."..}.......{...."..}....*.0..........

C:\Users\user\AppData\Roaming\Pinball\log4net.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1547797
Entropy (8bit):	4.370092880615517
Encrypted:	false
SSDEEP:
MD5:	32AB4E0A9A82245EE3B474EF811F558F
SHA1:	9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
SHA-256:	9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
SHA-512:	A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

C:\Users\user\AppData\Roaming\Pinball\natives_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	342741
Entropy (8bit):	5.496697631795104
Encrypted:	false
SSDEEP:
MD5:	A58DB728B50E6B82CBDCAA0DB61D36B1
SHA1:	7CD76526CB29A0FF5350A2B52D48D1886360458B
SHA-256:	BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
SHA-512:	0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
Malicious:	false
Reputation:	unknown
Preview:	..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

C:\Users\user\AppData\Roaming\Pinball\resources.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	8226870
Entropy (8bit):	7.996842728494533
Encrypted:	true
SSDEEP:
MD5:	F7EC58AEA756F3FD8A055AC582103A78
SHA1:	086B63691F5E5375A537E99E062345F56512A22C
SHA-256:	517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
SHA-512:	C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
Malicious:	false
Reputation:	unknown
Preview:	............f.6:..{..D..\|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.\|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

C:\Users\user\AppData\Roaming\Pinball\snapshot_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	276319
Entropy (8bit):	4.242318669799302
Encrypted:	false
SSDEEP:
MD5:	8234983533FA47D2A1D7710FF8274299
SHA1:	E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
SHA-256:	F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
SHA-512:	1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
Malicious:	false
Reputation:	unknown
Preview:	.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\start.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.280394654123194
Encrypted:	false
SSDEEP:
MD5:	8DF76852BBEBBFC80BF532E3EDE3FE73
SHA1:	3EDDA1A4863E23A7C0EA7703B2BC829EA6D9F915
SHA-256:	BC2B1D303969AEDE1FB7388B6976AEA5C91002DA67CBD4E9DB07A3CE52474E54
SHA-512:	DA777AEB17FD11E189A640DDEFF1DECF37A1213ED9802C6B7FD3859784B3F1C0D1C812E407029376E2928C9BCE2E937D4FD772263336FF576AFB18A823AAA4E4
Malicious:	false
Reputation:	unknown
Preview:	start Pinball.exe S2XRyqLXeg

C:\Users\user\AppData\Roaming\Pinball\swiftshader\Xilium.CefGlue.pdb

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	MSVC program database ver 7.00, 512*4023 bytes
Category:	dropped
Size (bytes):	2059776
Entropy (8bit):	4.067542396670122
Encrypted:	false
SSDEEP:
MD5:	70F9EAEA8A2A604E59F72EDE66F83AB4
SHA1:	0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
SHA-256:	38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
SHA-512:	47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
Malicious:	false
Reputation:	unknown
Preview:	Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\swiftshader\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346624
Entropy (8bit):	6.54104466243173
Encrypted:	false
SSDEEP:
MD5:	7A53AD3E5D2E65C982450E7B7453DE8A
SHA1:	99F27E54F1F61207C02110CAC476405557A8AD54
SHA-256:	24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
SHA-512:	2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\swiftshader\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2445312
Entropy (8bit):	6.750207745422387
Encrypted:	false
SSDEEP:
MD5:	334C3157E63A34B22CCE25A44A04835F
SHA1:	C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
SHA-256:	3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
SHA-512:	11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\v8_context_snapshot.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	631017
Entropy (8bit):	5.144793130466209
Encrypted:	false
SSDEEP:
MD5:	0794DF29DF8DFC3ECE5C443F864F5AEB
SHA1:	BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
SHA-256:	3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
SHA-512:	0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
Malicious:	false
Reputation:	unknown
Preview:	..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4400640
Entropy (8bit):	6.667314807988382
Encrypted:	false
SSDEEP:
MD5:	7F913E31D00082338F073EF60D67B335
SHA1:	AC831B45F2A32E23BA9046044508E47E04CDA3A4
SHA-256:	B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
SHA-512:	E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader_icd.json

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.724752649036734
Encrypted:	false
SSDEEP:
MD5:	8642DD3A87E2DE6E991FAE08458E302B
SHA1:	9C06735C31CEC00600FD763A92F8112D085BD12A
SHA-256:	32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
SHA-512:	F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
Malicious:	false
Reputation:	unknown
Preview:	{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

C:\Users\user\AppData\Roaming\Pinball\vulkan-1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	826368
Entropy (8bit):	6.78646032943732
Encrypted:	false
SSDEEP:
MD5:	A031EB19C61942A26EF74500AD4B42DF
SHA1:	FDC6EA473234F153639E963E8EFB8D028DA1BE20
SHA-256:	207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
SHA-512:	80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....\|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......\|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\widevinecdmadapter.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211456
Entropy (8bit):	6.566524833521835
Encrypted:	false
SSDEEP:
MD5:	6D7FD214164C858BBCF4AA050C114E8C
SHA1:	B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
SHA-256:	3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
SHA-512:	0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.300423142421655
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe
File size:	233'515 bytes
MD5:	42dc58fbc7050c3e083ac79205a0aa75
SHA1:	65835ac4cc779cd165e8f5be406aaf7ca1e0124f
SHA256:	30af845f8599e256ce230a25bc8772b8da7c7ba019254de3534d0da70a9e9cc9
SHA512:	3fdd48a79b701ecf8a261ed5a0e22bc99d81c6fbd8233b73bd155adbef3f308dae5f24bd0ca42c250daf95485f70f831db617c788eb9bdf0f122ee48a85edc8d
SSDEEP:	3072:LdwWsF1XDWLAlcYZM4n99drfQfnhfzMVklgQhS:LPs/fJj2hfzMVkl3hS
TLSH:	7F347357EEC2B016DD3298BD95594B34B144EC3BB9E02313BEE4F21D5A3AA01DC472A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L...w.Oa.................h...\|.......4............@

File Icon


Icon Hash:	1749e2a4b0d26107

Static PE Info

General

Entrypoint:	0x4034f1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B77 [Sat Sep 25 21:58:15 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f10e4da994053bf80c20cee985b32e29

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000220h
push esi
push edi
xor edi, edi
push 00008001h
mov dword ptr [ebp-10h], edi
mov dword ptr [ebp-04h], 0040A130h
mov dword ptr [ebp-08h], edi
mov byte ptr [ebp-0Ch], 00000020h
call dword ptr [004080B0h]
mov esi, dword ptr [004080C0h]
lea eax, dword ptr [ebp-000000C0h]
push eax
mov dword ptr [ebp-000000ACh], edi
mov dword ptr [ebp-2Ch], edi
mov dword ptr [ebp-28h], edi
mov dword ptr [ebp-000000C0h], 0000009Ch
call esi
test eax, eax
jne 00007FC7EC91FDD1h
lea eax, dword ptr [ebp-000000C0h]
mov dword ptr [ebp-000000C0h], 00000094h
push eax
call esi
cmp dword ptr [ebp-000000B0h], 02h
jne 00007FC7EC91FDBCh
movsx cx, byte ptr [ebp-0000009Fh]
mov al, byte ptr [ebp-000000ACh]
sub ecx, 30h
sub al, 53h
mov byte ptr [ebp-26h], 00000004h
neg al
sbb eax, eax
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-000000B0h], 02h
jnc 00007FC7EC91FDB4h
and byte ptr [ebp-26h], 00000000h
cmp byte ptr [ebp-000000ABh], 00000041h
jl 00007FC7EC91FDA3h
movsx ax, byte ptr [ebp-000000ABh]
sub eax, 40h
mov word ptr [ebp-2Ch], ax
jmp 00007FC7EC91FD96h
mov word ptr [ebp-2Ch], di
cmp dword ptr [ebp-000000BCh], 0Ah
jnc 00007FC7EC91FD9Ah
and word ptr [ebp+00000000h], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x40000	0x2cc58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6710	0x6800	ce5ea12d8928af396fab397be4d86e7b	False	0.6721379206730769	data	6.457647337216819	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1382	0x1400	bc5ab97ffda7e39e35bf0c1f7a27854b	False	0.4630859375	data	5.260451498562911	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25558	0x600	a4d50f221ae2d23d0280180871dbcfc8	False	0.4680989583333333	data	4.219370823365332	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x40000	0x2cc58	0x2ce00	0816f04cde0643b384ed19f6b5ae26da	False	0.2781979021587744	data	5.915104642446558	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x40310	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.1422423991482314
RT_ICON	0x50b38	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.2018604162287156
RT_ICON	0x59fe0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.22310536044362292
RT_ICON	0x5f468	0x48e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9983387814157869
RT_ICON	0x63d50	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.21545819555975437
RT_ICON	0x67f78	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.28526970954356845
RT_ICON	0x6a520	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3273921200750469
RT_ICON	0x6b5c8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.4344262295081967
RT_ICON	0x6bf50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.523936170212766
RT_DIALOG	0x6c3b8	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x6c5c0	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x6c6b8	0xee	data	English	United States	0.6302521008403361
RT_GROUP_ICON	0x6c7a8	0x84	data	English	United States	0.7348484848484849
RT_MANIFEST	0x6c830	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, SetWindowPos, SetCursor, GetSysColor, SetClassLongA, GetWindowLongA, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersionExA, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	01:38:58
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"
Imagebase:	0x400000
File size:	233'515 bytes
MD5 hash:	42DC58FBC7050C3E083AC79205A0AA75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:39:12
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Local\Temp\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\setup.exe"
Imagebase:	0x400000
File size:	107'369'991 bytes
MD5 hash:	97D098FFE698F9400EF166FC53F86B4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:39:41
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Imagebase:	0xd10000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:39:45
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xfc0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	01:39:45
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xeb0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:39:46
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x540000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:39:46
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x1b0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:39:46
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xd0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:39:47
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xef0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	01:39:48
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xd0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:39:48
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x980000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	01:39:49
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xab0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:39:51
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x490000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	01:39:51
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x9d0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	01:39:51
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xd10000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:39:52
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xc50000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	01:39:52
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x5f0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	01:39:52
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x430000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	01:39:52
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x590000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	01:39:53
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x610000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	01:39:53
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x320000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	01:39:53
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xa00000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	01:39:53
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x250000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	01:39:53
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xd40000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	01:39:53
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xe60000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	01:39:54
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x800000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	01:39:54
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xdf0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	01:39:54
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x4e0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	01:39:55
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xec0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	01:39:55
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xb30000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	01:39:55
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x850000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	01:39:55
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x2b0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	01:39:56
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x490000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	01:39:56
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x9a0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	01:39:56
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xc20000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	01:39:56
Start date:	18/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x7f0000
File size:	350'720 bytes
MD5 hash:	161915D7FFED531ADF1F43791864D6C1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.2%
Total number of Nodes:	1416
Total number of Limit Nodes:	42

Executed Functions

Function 004034F1 Relevance: 96.7, APIs: 34, Strings: 21, Instructions: 417
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008001), ref: 00403514
GetVersionExA.KERNEL32(?), ref: 0040353D
GetVersionExA.KERNEL32(0000009C), ref: 00403554
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040361D
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040365A
OleInitialize.OLE32(00000000), ref: 00403661
SHGetFileInfoA.SHELL32(00429878,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040367F
GetCommandLineA.KERNEL32(Setup Pinball 22,NSIS Error,?,00000007,00000009,0000000B), ref: 00403694
CharNextA.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",00000000,?,00000007,00000009,0000000B), ref: 004036CE
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037C7
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037D8
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037E4
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037F8
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403800
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403811
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403819
DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 0040382D
ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038D3
OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038D8
ExitProcess.KERNEL32 ref: 004038F9
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",00000000,?,?,00000007,00000009,0000000B), ref: 0040390C
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",00000000,?,?,00000007,00000009,0000000B), ref: 0040391B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403926
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403932
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040394E
DeleteFileA.KERNEL32(00429478,00429478,?,00430000,?,?,00000007,00000009,0000000B), ref: 004039AB
CopyFileA.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe,00429478,00000001), ref: 004039C0
CloseHandle.KERNEL32(00000000,00429478,00429478,?,00429478,00000000,?,00000007,00000009,0000000B), ref: 004039ED
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 00403A1B
OpenProcessToken.ADVAPI32(00000000), ref: 00403A22
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A36
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A55
ExitWindowsEx.USER32(00000002,80040002), ref: 00403A7A
ExitProcess.KERNEL32 ref: 00403A9B

Strings

TMP, xrefs: 00403814
UXTHEME, xrefs: 00403611, 00403616, 0040361C
NSIS Error, xrefs: 00403685
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403506
C:\Users\user\AppData\Roaming\Pinball, xrefs: 004037AC, 004038AB, 00403954, 0040395E
"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe", xrefs: 0040369A, 004036A0, 0040384F
TEMP, xrefs: 0040380C
Setup Pinball 22, xrefs: 0040368A
1033, xrefs: 00403828
C:\Users\user\AppData\Roaming\Pinball\update, xrefs: 004038B6
Error launching installer, xrefs: 00403891
C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, xrefs: 004039BB
Low, xrefs: 004037FA
", xrefs: 004036F1
.tmp, xrefs: 00403920
\Temp, xrefs: 004037DE
C:\Users\user\AppData\Local\Temp\, xrefs: 004037BC, 004037C1, 004037D7, 004037E3, 004037F2, 004037FF, 0040380B, 00403813, 00403909, 0040391A, 00403925, 00403931, 0040393E, 0040394D, 00403A02
C:\Users\user\Desktop, xrefs: 0040392B, 00403930, 0040395D
SeShutdownPrivilege, xrefs: 00403A30
A, xrefs: 0040358F
~nsu, xrefs: 00403904

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "$"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball\update$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$Setup Pinball 22$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2882342585-80524432
Opcode ID: 81fd53c31f629a5d9fc5bfd721c55a9fc960827f33750ddf9d0d7531c1fac7e3
Instruction ID: e98e4a5fe24b7fbee69c2a6f36de3ff31cd048084844d0745fc1e9075a3efd0a
Opcode Fuzzy Hash: 81fd53c31f629a5d9fc5bfd721c55a9fc960827f33750ddf9d0d7531c1fac7e3
Instruction Fuzzy Hash: 9DE11470900254AADB21AF759D49B6F7EB89F4670AF0480BFF541B61D2C7BC4A05CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 100010D0 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(?), ref: 100010F2

Strings

Process32First, xrefs: 1000124B
KERNEL32.DLL, xrefs: 10001225
NTDLL.DLL, xrefs: 10001127
NtQuerySystemInformation, xrefs: 1000113B
CreateToolhelp32Snapshot, xrefs: 10001243
Process32Next, xrefs: 10001255

Memory Dump Source

Source File: 00000000.00000002.2829821520.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2829797953.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2829836660.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2829851945.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd

Similarity

API ID: Version
String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$NTDLL.DLL$NtQuerySystemInformation$Process32First$Process32Next
API String ID: 1889659487-877962304
Opcode ID: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
Instruction ID: 3df706415bff85d1043f51983ae3f68c733976b3404a17f8fb4488dcc6387507
Opcode Fuzzy Hash: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
Instruction Fuzzy Hash: 19715871900659EFFB11DFA4CC88ADE3BEAEB483C4F250026FA19D2159E6358E49CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00405B6F Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,76233410,76232EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"), ref: 00405B98
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nslCE97.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nslCE97.tmp\*.*,?,?,76233410,76232EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"), ref: 00405BE0
lstrcatA.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nslCE97.tmp\*.*,?,?,76233410,76232EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"), ref: 00405C01
lstrlenA.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nslCE97.tmp\*.*,?,?,76233410,76232EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"), ref: 00405C07
FindFirstFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nslCE97.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nslCE97.tmp\*.*,?,?,76233410,76232EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"), ref: 00405C18
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CC5
FindClose.KERNEL32(00000000), ref: 00405CD6

Strings

\*.*, xrefs: 00405BDA
C:\Users\user\AppData\Local\Temp\nslCE97.tmp\*.*, xrefs: 00405BC8, 00405BCE, 00405BDF, 00405C15
"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe", xrefs: 00405B78

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"$C:\Users\user\AppData\Local\Temp\nslCE97.tmp\*.*$\*.*
API String ID: 2035342205-94388497
Opcode ID: faded9c196cd74838ca1e91bb8710b4837c88517674c147a6894f7a7db6857f4
Instruction ID: 4718808f158ea52fcca0691a24e1ebca9c7702a3109b9de6f7b9021a1af4e111
Opcode Fuzzy Hash: faded9c196cd74838ca1e91bb8710b4837c88517674c147a6894f7a7db6857f4
Instruction Fuzzy Hash: 3C51B130809B04AAEB226B218D49BAF7A78DF52718F14813BF845751D1C77C9982DEAD

Uniqueness

Uniqueness Score: -1.00%

Function 00406724 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(76233410,0042C108,C:\,00405E70,C:\,C:\,00000000,C:\,C:\,76233410,?,76232EE0,00405B8F,?,76233410,76232EE0), ref: 0040672F
FindClose.KERNEL32(00000000), ref: 0040673B

Strings

C:\, xrefs: 00406724

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
Instruction ID: c9c9a12bc8b774ad06f6f9f90ff499a93993566126ae4f8ffc97a4986822620a
Opcode Fuzzy Hash: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
Instruction Fuzzy Hash: 62D012715081309BD3405B386D4C85B7A58AF153353618A36F866F22E0D7348C228698

Uniqueness

Uniqueness Score: -1.00%

Function 00403B93 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004067B9: GetModuleHandleA.KERNEL32(?,00000000,?,00403633,0000000B), ref: 004067CB
Part of subcall function 004067B9: GetProcAddress.KERNEL32(00000000,?), ref: 004067E6

lstrcatA.KERNEL32(1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,76233410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",00000009,0000000B), ref: 00403C0E
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,?,?,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,C:\Users\user\AppData\Roaming\Pinball,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,76233410), ref: 00403C83
lstrcmpiA.KERNEL32(?,.exe), ref: 00403C96
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",00000009,0000000B), ref: 00403CA1
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Pinball), ref: 00403CEA

Part of subcall function 0040630B: wsprintfA.USER32 ref: 00406318

RegisterClassA.USER32(0042EBE0), ref: 00403D27
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D3F
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D74
ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",00000009,0000000B), ref: 00403DAA
GetClassInfoA.USER32(00000000,RichEdit20A,0042EBE0), ref: 00403DD6
GetClassInfoA.USER32(00000000,RichEdit,0042EBE0), ref: 00403DE3
RegisterClassA.USER32(0042EBE0), ref: 00403DEC
DialogBoxParamA.USER32(?,00000000,00403F30,00000000), ref: 00403E0B

Strings

.exe, xrefs: 00403C90
C:\Users\user\AppData\Roaming\Pinball, xrefs: 00403C1D, 00403C25, 00403CBD, 00403CC3, 00403CD3
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00403C51, 00403C59, 00403C66, 00403CB0, 00403CB6
RichEdit, xrefs: 00403DDD
"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe", xrefs: 00403B96
_Nb, xrefs: 00403D06, 00403D6E
B, xrefs: 00403CF9
.DEFAULT\Control Panel\International, xrefs: 00403BF9
Control Panel\Desktop\ResourceLocale, xrefs: 00403BC7
RichEdit20A, xrefs: 00403DCE, 00403DD4
1033, xrefs: 00403BB3, 00403C09
C:\Users\user\AppData\Local\Temp\, xrefs: 00403B98
RichEd20, xrefs: 00403DB0
RichEd32, xrefs: 00403DBE

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Pinball$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$B
API String ID: 1975747703-3412932766
Opcode ID: c630cd98a2914be9174b26e2e738905288855d424b9324edbec4349d293c1a18
Instruction ID: d89710434fc60f72bff50dd0b8e8498b1a5d6f9b4449ddb9e8b665c251f4a15f
Opcode Fuzzy Hash: c630cd98a2914be9174b26e2e738905288855d424b9324edbec4349d293c1a18
Instruction Fuzzy Hash: 3F61E4702042016EE620BF669D46F373A6CEB44B4DF40443FF941B22E2CB7CA9168A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F5C Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 208
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F70
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe,00000400), ref: 00402F8C

Part of subcall function 00405F40: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe,80000000,00000003), ref: 00405F44
Part of subcall function 00405F40: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F66

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe,80000000,00000003), ref: 00402FD5
GlobalAlloc.KERNEL32(00000040,00000009), ref: 0040311A

Strings

Inst, xrefs: 00403043
Null, xrefs: 00403055
soft, xrefs: 0040304C
Error launching installer, xrefs: 00402FAC
C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403187
"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe", xrefs: 00402F65
sDialogMessageA, xrefs: 00403124
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040313A
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031D5
C:\Users\user\Desktop, xrefs: 00402FB7, 00402FBC, 00402FC2

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$sDialogMessageA$soft
API String ID: 2803837635-3594598217
Opcode ID: 2005f208a2339c59ab43fef2da7853fb62fc6b40e03fcb6696291913a7135b04
Instruction ID: c3dda028fec246d51fc2d1f070f96728b3bff22ba0095c66adda34c0f2e45969
Opcode Fuzzy Hash: 2005f208a2339c59ab43fef2da7853fb62fc6b40e03fcb6696291913a7135b04
Instruction Fuzzy Hash: F971D271A00208ABDB21AF64DE45B9A7BBCEB14319F50403BF505BB2D1D77CAE458B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00406440 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 0040656E
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,00000400,?,0042A098,00000000,00405506,0042A098,00000000), ref: 00406581
SHGetSpecialFolderLocation.SHELL32(00405506,00000000,?,0042A098,00000000,00405506,0042A098,00000000), ref: 004065BD
SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 004065CB
CoTaskMemFree.OLE32(00000000), ref: 004065D7
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065FB
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,0042A098,00000000,00405506,0042A098,00000000,00000000,00000000,00000000), ref: 0040664D

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040653D
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065F5
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 0040646A, 0040653A, 0040653B, 0040653C, 00406558, 0040656D, 00406580, 0040659C, 004065C7, 004065FA, 00406600, 00406618, 0040662B, 00406646, 0040664C, 00406654, 0040667E

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\setup.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2971578385
Opcode ID: 38398d6ecce7c9880a138569f5858357a9108e76e203ad91a2b6340bc4305649
Instruction ID: 268467668beee15eea63ad286a81141898b18a339a36d3837aab5ec1b06c59ca
Opcode Fuzzy Hash: 38398d6ecce7c9880a138569f5858357a9108e76e203ad91a2b6340bc4305649
Instruction Fuzzy Hash: 13610470900100AEEF215F34ED90B7E3BA4AB15718F52413FE943BA2D1D27E8962CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\Pinball\update,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\Pinball\update,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 004063AD: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,00403694,Setup Pinball 22,NSIS Error,?,00000007,00000009,0000000B), ref: 004063BA

Part of subcall function 004054CE: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
Part of subcall function 004054CE: lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
Part of subcall function 004054CE: lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
Part of subcall function 004054CE: SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
Part of subcall function 004054CE: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A

Strings

C:\Users\user\AppData\Local\Temp\nslCE97.tmp\INetC.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Roaming\Pinball\update, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nslCE97.tmp\INetC.dll$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Pinball\update
API String ID: 1941528284-2678378001
Opcode ID: cacce34dfe87c937726664b238e8662d685e89b268f2d0ef46f5665a7110999c
Instruction ID: d74f000fe0db08ada4b1866606914215aeb9a6e76c7c3683a032828096269754
Opcode Fuzzy Hash: cacce34dfe87c937726664b238e8662d685e89b268f2d0ef46f5665a7110999c
Instruction Fuzzy Hash: 4041C731910515BACF107BB5CD45EAF3678EF05328B20833BF422F20E1D67C89529A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040332A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040333E

Part of subcall function 004034A9: SetFilePointer.KERNEL32(00000000,00000000,00000000,004031A9,?), ref: 004034B7

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,00403254,00000004,00000000,00000000,0000000B,?,004031D0,000000FF,00000000,00000000,00000009,?), ref: 00403371
SetFilePointer.KERNEL32(?,00000000,00000000,0040B8A0,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,00403254,00000004,00000000,00000000,0000000B,?,004031D0,000000FF), ref: 0040346C

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 0040339E, 004033A4
]qA, xrefs: 004033FA, 00403413
sDialogMessageA, xrefs: 00403383, 0040341E

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: ]qA$o be not permitted or dropped out!Please reconnect and click Retry to resume installation.$sDialogMessageA
API String ID: 1092082344-3488369336
Opcode ID: 56010228795e1ad0e08db069a67fb83c8d86121d496d992e286645f0c7fdccb7
Instruction ID: c44045edb95023ba3cca2d031d7db8c7ecb953bf7021e17233d88aac787edfad
Opcode Fuzzy Hash: 56010228795e1ad0e08db069a67fb83c8d86121d496d992e286645f0c7fdccb7
Instruction Fuzzy Hash: 143181726042059FDB21BF29EE849673BACEB41359B58423BE805B62F0C7785D42CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405994 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059D7
GetLastError.KERNEL32 ref: 004059EB
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405A00
GetLastError.KERNEL32 ref: 00405A0A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059BA
F9@, xrefs: 004059A9

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$F9@
API String ID: 3449924974-504589234
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: 0e1db3289ec5df6a0f35b562325bf2216b146a324eccc31de4c45bc136cfaec7
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 220108B1D04219DADF109BA0C944BEFBBB8EB04354F00413ADA44B6290D7799648CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040674B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406762
wsprintfA.USER32 ref: 0040679B
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004067AF

Strings

%s%s.dll, xrefs: 00406795
UXTHEME, xrefs: 00406754
\, xrefs: 00406773

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 3863f05650aab447081eb6fa423b6430e02618d36ffe312384f2529087dcf063
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: 36F0217094021A6BDB149774DD0DFFB375CBB08308F14007AA58AF20C1DA78D9358B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F6F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F83
GetTempFileNameA.KERNEL32(0000000B,?,00000000,?,?,004034EF,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007), ref: 00405F9D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F72
nsa, xrefs: 00405F7A

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1857211195
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: c81afa6165f68c23ab33ae750d9da6b6d4b0ed7f5f6f860b32f83f713540d6b5
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: DEF082363042087BDB108F55ED44B9B7B9DDF91750F14C03BFA44DA180D6B499988799

Uniqueness

Uniqueness Score: -1.00%

Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D0

Part of subcall function 004054CE: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
Part of subcall function 004054CE: lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
Part of subcall function 004054CE: lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
Part of subcall function 004054CE: SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
Part of subcall function 004054CE: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E0
GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 8f54d1db7107121c79eeabdd4d3ff93457635344b973460777cc98a7737a160d
Instruction ID: d5d8e73b2f819034d4a36da7431b6ab1c2b370ec15cffcebf3853f7809143cb5
Opcode Fuzzy Hash: 8f54d1db7107121c79eeabdd4d3ff93457635344b973460777cc98a7737a160d
Instruction Fuzzy Hash: CE21C931904215A7CF207F648E4DA9F3A706F44358F64413FF601B61D1DBBD49819A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00403AA1 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038D8,?,?,00000007,00000009,0000000B), ref: 00403AB3
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038D8,?,?,00000007,00000009,0000000B), ref: 00403AC7

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403AA6
C:\Users\user\AppData\Local\Temp\nslCE97.tmp\, xrefs: 00403AD7

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nslCE97.tmp\
API String ID: 2962429428-2448876291
Opcode ID: a9ee9dd59f1d65fc7d516ea45ae36214ae301fc028764db5b16804c067bfeb42
Instruction ID: d999985cb90310bf3b758c666a10fef92de30db54d65d146bcd03f9961b14051
Opcode Fuzzy Hash: a9ee9dd59f1d65fc7d516ea45ae36214ae301fc028764db5b16804c067bfeb42
Instruction Fuzzy Hash: A3E08631A00714A6C124EF7CAD499853A185B45331B244726F0B5F20F0C778A9575EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00403222 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031D0,000000FF,00000000,00000000,00000009,?), ref: 00403247

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 0040329C, 004032B3, 004032C9

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 973152223-292220189
Opcode ID: ce81470534c94f9195f7b80e3f7d0d63071f291ff17927e88f905344df711149
Instruction ID: 63e3bc89ebc44e63cb87267a04d05eb10b5728ec6aea7eb37a90b8226d4502d0
Opcode Fuzzy Hash: ce81470534c94f9195f7b80e3f7d0d63071f291ff17927e88f905344df711149
Instruction Fuzzy Hash: 67318B30600219EFDB20DF95ED84A9E7BACEB00359F50443AF904E61A1DB38DE51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405DD8: CharNextA.USER32(?,?,C:\,0000000B,00405E44,C:\,C:\,76233410,?,76232EE0,00405B8F,?,76233410,76232EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"), ref: 00405DE6
Part of subcall function 00405DD8: CharNextA.USER32(00000000), ref: 00405DEB
Part of subcall function 00405DD8: CharNextA.USER32(00000000), ref: 00405DFF

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 00405994: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059D7

SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Pinball\update,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Pinball\update, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Pinball\update
API String ID: 1892508949-3810419145
Opcode ID: 5387091bdfc140b8087f8c86ee1b38cdfb01a532a77df89c8285ea66194cdfe6
Instruction ID: da078a7396538d2b68c3d46abcf0abf86ed4841e4c77ece3ad50f4b688452c44
Opcode Fuzzy Hash: 5387091bdfc140b8087f8c86ee1b38cdfb01a532a77df89c8285ea66194cdfe6
Instruction Fuzzy Hash: 92113431608040EBCF316FA54D419BF23B09E96324B68453FE491B22E2DA3D4C43AA3E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E2D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063AD: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,00403694,Setup Pinball 22,NSIS Error,?,00000007,00000009,0000000B), ref: 004063BA

Part of subcall function 00405DD8: CharNextA.USER32(?,?,C:\,0000000B,00405E44,C:\,C:\,76233410,?,76232EE0,00405B8F,?,76233410,76232EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"), ref: 00405DE6
Part of subcall function 00405DD8: CharNextA.USER32(00000000), ref: 00405DEB
Part of subcall function 00405DD8: CharNextA.USER32(00000000), ref: 00405DFF

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,76233410,?,76232EE0,00405B8F,?,76233410,76232EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"), ref: 00405E80
GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,76233410,?,76232EE0,00405B8F,?,76233410,76232EE0), ref: 00405E90

Strings

C:\, xrefs: 00405E33, 00405E38, 00405E3E, 00405E79, 00405E7F, 00405E87, 00405E8F

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 678f3ead996082f1db05eba5b8c2b9e3d8806008399db563f30518ef42c9b83a
Instruction ID: 9f267cddd7eb309e72c664a5524f4ef8e78f3a4fdcff01b88aa859142a740ccd
Opcode Fuzzy Hash: 678f3ead996082f1db05eba5b8c2b9e3d8806008399db563f30518ef42c9b83a
Instruction Fuzzy Hash: A1F0A431144D9515C72223368D09AAF1A45CEA23A475A453BF8D1B22D2CB3C8A539DEE

Uniqueness

Uniqueness Score: -1.00%

Function 00405FB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,sDialogMessageA,004034A6,00000009,00000009,004033AA,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,00403254), ref: 00405FCC

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00405FBB
sDialogMessageA, xrefs: 00405FB8

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.$sDialogMessageA
API String ID: 2738559852-3205533817
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: 7e5aaa18cf238fc3c2a2d6f2c990f7ea76405a2d1e5533b3dfe085218e3ca13f
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: 93E08C3220061EABCF109E608C04EEB3B6CEB003A0F004433F915E2140E674E8208BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401B87 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(00000000), ref: 00401BF6
GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401C08

Strings

C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00401BAE, 00401BB4, 00401BCE

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree
String ID: C:\Users\user\AppData\Local\Temp\setup.exe
API String ID: 3394109436-3080675856
Opcode ID: bfe0dc3d95f43b4409d118f761898962ef2bc76bc8875dd5e6956272c4f99d1f
Instruction ID: abc6247676351e9a3cdf4121a9d035523c1d1b1bab58dc500b012345fd65afdd
Opcode Fuzzy Hash: bfe0dc3d95f43b4409d118f761898962ef2bc76bc8875dd5e6956272c4f99d1f
Instruction Fuzzy Hash: 3D219672600104ABCB10BF648E8596E73E8EB88318729443BF506F32E1DB7CA8515B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0040AC50,00000023,00000011,00000002), ref: 004024C9
RegSetValueExA.KERNEL32(?,?,?,?,0040AC50,00000000,00000011,00000002), ref: 00402509
RegCloseKey.KERNEL32(?,?,?,0040AC50,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: f366e6c306fe12082cf0b05c6ba91687424175233ff3acd6191fb73da5415940
Instruction ID: f11ff60c4b13be1b40730626367b2ac31db3e86d33d3b539648c793afb11e8e7
Opcode Fuzzy Hash: f366e6c306fe12082cf0b05c6ba91687424175233ff3acd6191fb73da5415940
Instruction Fuzzy Hash: DB115171E04208AFEB10AFA59E49AAE7A74AB54714F21443BF504F71C1D6B94D809B68

Uniqueness

Uniqueness Score: -1.00%

Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
RegCloseKey.KERNEL32(?,?,?,0040AC50,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: d9b2f7af4b58b16225319d4737150cd9e7384b2817515e7f92340022bc23a71a
Instruction ID: 73951399082e5fa98c6371f9b4b4b349b16151057db022cfb7c5a8f3282eca10
Opcode Fuzzy Hash: d9b2f7af4b58b16225319d4737150cd9e7384b2817515e7f92340022bc23a71a
Instruction Fuzzy Hash: EB017571904104FFE7159F549E88ABF7B6CEF41358F20443EF105A61C0DAB44E449679

Uniqueness

Uniqueness Score: -1.00%

Function 00405B27 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(?,?,00405B33,?,?,00000000,00405D16,?,?,?,?), ref: 00405F20
Part of subcall function 00405F1B: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F34

RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405D16), ref: 00405B42
DeleteFileA.KERNEL32(?,?,?,00000000,00405D16), ref: 00405B4A
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B62

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction ID: fc28fc13a5ffaa1451d385943006fff6504562e94068b3e8e58ff47069311b16
Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction Fuzzy Hash: A9E0E531508A5196C21067309D08B5B7AF4DF96315F09493AF891F20C0C73CB8068A7D

Uniqueness

Uniqueness Score: -1.00%

Function 0040682E Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 0040683F
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406854
GetExitCodeProcess.KERNEL32(?,?), ref: 00406861

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: 5b4fe72fd1e708cd3b796925d468a13cc4a0d4fa623004970e8620b303540654
Instruction ID: 786f37fe9b0b1b1757ae7e0e20c5bf7d2f22bc893670cbc7984a2ae372209aef
Opcode Fuzzy Hash: 5b4fe72fd1e708cd3b796925d468a13cc4a0d4fa623004970e8620b303540654
Instruction Fuzzy Hash: 2EE0D832A00108FBDB10AB54DD05E9E7B6EDB44744F114037FB01B61A0D7B19E62EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405FE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,0041715D,sDialogMessageA,0040342A,sDialogMessageA,0041715D,0040B8A0,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,00403254), ref: 00405FFB

Strings

sDialogMessageA, xrefs: 00405FE7

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID: sDialogMessageA
API String ID: 3934441357-1876393551
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 0afa8209b49303e90907335d5d7c52becaf9ed0dec036a1b0300e0b740401a66
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 55E08C3224025AABDF20DE608C00EEB3B6CEB00360F014432FE16E3040DA30E831ABA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,00000000,?,?,?,?), ref: 0040254E
RegCloseKey.KERNEL32(?,?,?,0040AC50,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 622720d723debc0e5387cc632ba222ec01e0168f6777bf894a7108f8d5dde447
Instruction ID: 4b56cd5ea3ff9179ab7dc602fdd52c2e718bc4285600ddde5da30d0002e9d155
Opcode Fuzzy Hash: 622720d723debc0e5387cc632ba222ec01e0168f6777bf894a7108f8d5dde447
Instruction Fuzzy Hash: BE110471904204FFDF24CF64CA584AE7BB4AF00344F20483FE042B72C0D6B88A45DA1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8d6dbff36e684ac128f086476d42dfa0dacb146ee2a51e47a5bbc3284452034d
Instruction ID: b0909b975399ca643c062e30d3ddfd7e2b7b3efc2cbaaa5a110c2e05b7795de4
Opcode Fuzzy Hash: 8d6dbff36e684ac128f086476d42dfa0dacb146ee2a51e47a5bbc3284452034d
Instruction Fuzzy Hash: 380121317242109BE7180B7A8D04B6A32A8E710318F10853AF841F61F1DA789C028B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A46 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C0C0,00000009,00000009,0000000B), ref: 00405A6F
CloseHandle.KERNEL32(?), ref: 00405A7C

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
Instruction ID: 48950c8f4c666f3fb74f177c391d78cb5defd913bab31bd9d1c0215700feeedf
Opcode Fuzzy Hash: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
Instruction Fuzzy Hash: 8AE0BFB5A00209BFEB109BA4ED49F7F77ACFB04608F404525BD50F2150D77499158A78

Uniqueness

Uniqueness Score: -1.00%

Function 004067B9 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,00403633,0000000B), ref: 004067CB
GetProcAddress.KERNEL32(00000000,?), ref: 004067E6

Part of subcall function 0040674B: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406762
Part of subcall function 0040674B: wsprintfA.USER32 ref: 0040679B
Part of subcall function 0040674B: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004067AF

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
Instruction ID: a7ac22a06370d6b0a0a90de621bba7f0ce7106f591c7cbd0d506157d44a434a2
Opcode Fuzzy Hash: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
Instruction Fuzzy Hash: A0E08C32604210ABD21067B49E48C7B73ACAF88708702083FF946F3240DB38DC36A66D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F40 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe,80000000,00000003), ref: 00405F44
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F66

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,00405B33,?,?,00000000,00405D16,?,?,?,?), ref: 00405F20
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F34

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 21ee5df392e2e3ec62eeb83b5b0df553a0a1579e20daa9fad68e55b8d704abe5
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: 99D0C972504422ABD3542728AE0889BBB55DB54271702CB35FDE5A26B1DB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405A11 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,00000000,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00405A17
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A25

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: 195c21080821b3492e5a44204faa0221d1fd975594f5f15cd5422cdfd2dc7f48
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: 24C08C30714501ABD6101B30AF09B173B60AB00340F028439A38AE00A0CA308015CE2D

Uniqueness

Uniqueness Score: -1.00%

Function 10001426 Relevance: 2.5, APIs: 2, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,10003024,?,10003020,1000138F,10003020,00000400), ref: 10001454
GlobalFree.KERNELBASE(10003020), ref: 10001464

Memory Dump Source

Source File: 00000000.00000002.2829821520.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2829797953.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2829836660.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2829851945.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID:
API String ID: 1459762280-0
Opcode ID: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
Instruction ID: 61cff6a9ed434c6726c3e265b98623322506fe6e864b2b4fb358a1092e6d6a6c
Opcode Fuzzy Hash: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
Instruction Fuzzy Hash: 8DF0F8312152209FE315DF24CC94B9777E9FB0A385F018429E691C7278D770E804CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00406261 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 0040628A

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 282812905ffe6fa8799437e3a4fe4156bb01cfe44eebde0263977a6986859224
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 93E0E67201010DBEDF099F50DC0AD7B372DE704300F05492EF906D4151E6B5A9705634

Uniqueness

Uniqueness Score: -1.00%

Function 00406233 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?,0042A098,?,?,004062C1,0042A098,?,?,?,00000002,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 00406257

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 3d740e944366ea514e57ed2aded9f5afd8d3402cece41b903b05e0b4c8e80d31
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 01D0123200020DBBDF116F909D01FAB3B1EEF48350F118826FE06A4091D775D530A728

Uniqueness

Uniqueness Score: -1.00%

Function 00406186 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00406190

Part of subcall function 00406016: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,004061A7,?,?), ref: 00406047
Part of subcall function 00406016: GetShortPathNameA.KERNEL32(?,0042C648,00000400), ref: 00406050
Part of subcall function 00406016: GetShortPathNameA.KERNEL32(?,0042CA48,00000400), ref: 0040606D
Part of subcall function 00406016: wsprintfA.USER32 ref: 0040608B
Part of subcall function 00406016: GetFileSize.KERNEL32(00000000,00000000,0042CA48,C0000000,00000004,0042CA48,?,?,?,?,?), ref: 004060C6
Part of subcall function 00406016: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060D5
Part of subcall function 00406016: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040610D
Part of subcall function 00406016: SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,0042C248,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406163
Part of subcall function 00406016: GlobalFree.KERNEL32(00000000), ref: 00406174

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$GlobalNamePathShort$AllocCloseFreeHandleMovePointerSizelstrcpywsprintf
String ID:
API String ID: 299535525-0
Opcode ID: c322f9145407614dcfa10dfeecaa9c41271446476469625b6f257f08a92a98fd
Instruction ID: 000a298da37951b9beb6bf7480c1bf72e8e5e1d416767976cc0ebe3603791975
Opcode Fuzzy Hash: c322f9145407614dcfa10dfeecaa9c41271446476469625b6f257f08a92a98fd
Instruction Fuzzy Hash: 5DD0A731148201BEDB211F00DD0490B7BB1FB90315F11843EF185940B0D7328060DF09

Uniqueness

Uniqueness Score: -1.00%

Function 004034A9 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,004031A9,?), ref: 004034B7

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004054CE: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
Part of subcall function 004054CE: lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
Part of subcall function 004054CE: lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
Part of subcall function 004054CE: SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
Part of subcall function 004054CE: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A

Part of subcall function 00405A46: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C0C0,00000009,00000009,0000000B), ref: 00405A6F
Part of subcall function 00405A46: CloseHandle.KERNEL32(?), ref: 00405A7C

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 0040682E: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040683F
Part of subcall function 0040682E: GetExitCodeProcess.KERNEL32(?,?), ref: 00406861

Part of subcall function 0040630B: wsprintfA.USER32 ref: 00406318

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 932d1c38cbfb24ebf877498f87e14b96e13ba20706af4812904e15ae338fca7b
Instruction ID: 11a60f3d6f297274548d694c0275662d066654ba76d574c38af8cf55d6395503
Opcode Fuzzy Hash: 932d1c38cbfb24ebf877498f87e14b96e13ba20706af4812904e15ae338fca7b
Instruction Fuzzy Hash: 0EF0B432905121DBCB20BFA14EC49EFB2A49F41318B24463FF502B21D1CB7C4E418AAE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040560C Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040566B
GetDlgItem.USER32(?,000003EE), ref: 0040567A
GetClientRect.USER32(?,?), ref: 004056B7
GetSystemMetrics.USER32(00000002), ref: 004056BE
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056DF
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056F0
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405703
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405711
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405724
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405746
ShowWindow.USER32(?,00000008), ref: 0040575A
GetDlgItem.USER32(?,000003EC), ref: 0040577B
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040578B
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004057A4
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004057B0
GetDlgItem.USER32(?,000003F8), ref: 00405689

Part of subcall function 0040445F: SendMessageA.USER32(00000028,?,00000001,0040428F), ref: 0040446D

GetDlgItem.USER32(?,000003EC), ref: 004057CC
CreateThread.KERNEL32(00000000,00000000,Function_000055A0,00000000), ref: 004057DA
CloseHandle.KERNEL32(00000000), ref: 004057E1
ShowWindow.USER32(00000000), ref: 00405804
ShowWindow.USER32(?,00000008), ref: 0040580B
ShowWindow.USER32(00000008), ref: 00405851
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405885
CreatePopupMenu.USER32 ref: 00405896
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004058AB
GetWindowRect.USER32(?,000000FF), ref: 004058CB
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058E4
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405920
OpenClipboard.USER32(00000000), ref: 00405930
EmptyClipboard.USER32 ref: 00405936
GlobalAlloc.KERNEL32(00000042,?), ref: 0040593F
GlobalLock.KERNEL32(00000000), ref: 00405949
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040595D
GlobalUnlock.KERNEL32(00000000), ref: 00405976
SetClipboardData.USER32(00000001,00000000), ref: 00405981
CloseClipboard.USER32 ref: 00405987

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 2acb7b83d32332fc23b0f55e86c9aeee1e9b5d0168e5b03d031b27125abc7074
Instruction ID: 7efb50357b3f50af201fa6f108fa5506fb008a5585d1c8a66461a5270055d409
Opcode Fuzzy Hash: 2acb7b83d32332fc23b0f55e86c9aeee1e9b5d0168e5b03d031b27125abc7074
Instruction Fuzzy Hash: F2A14971900608BFDB11AFA5DE85AAE7B79FB08354F40403AFA41B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 004048BC Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040490B
SetWindowTextA.USER32(00000000,?), ref: 00404935
SHBrowseForFolderA.SHELL32(?,00429C90,?), ref: 004049E6
CoTaskMemFree.OLE32(00000000), ref: 004049F1
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,0042A8B8), ref: 00404A23
lstrcatA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 00404A2F
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A41

Part of subcall function 00405AA7: GetDlgItemTextA.USER32(?,?,00000400,00404A78), ref: 00405ABA

Part of subcall function 0040668B: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066E3
Part of subcall function 0040668B: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066F0
Part of subcall function 0040668B: CharNextA.USER32(0000000B,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066F5
Part of subcall function 0040668B: CharPrevA.USER32(0000000B,0000000B,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00406705

GetDiskFreeSpaceA.KERNEL32(00429888,?,?,0000040F,?,00429888,00429888,?,00000001,00429888,?,?,000003FB,?), ref: 00404AFF
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404B1A

Part of subcall function 00404C73: lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B8E,000000DF,00000000,00000400,?), ref: 00404D11
Part of subcall function 00404C73: wsprintfA.USER32 ref: 00404D19
Part of subcall function 00404C73: SetDlgItemTextA.USER32(?,0042A8B8), ref: 00404D2C

Strings

C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00404A1D, 00404A22, 00404A2D
C:\Users\user\AppData\Roaming\Pinball, xrefs: 00404A0C
A, xrefs: 004049DF

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Pinball
API String ID: 2624150263-3732704033
Opcode ID: f759c3bdfbf6dcf5a6d3c58857932ae76a455d95421bf85057ae9753f30115f1
Instruction ID: 418814d4f5b482a1114e5ad802000013a356d82c32de86a083c65c853fd70f02
Opcode Fuzzy Hash: f759c3bdfbf6dcf5a6d3c58857932ae76a455d95421bf85057ae9753f30115f1
Instruction Fuzzy Hash: 09A17FB1A00209ABDB11AFA6C945BAF77B8EF84314F10843BF611B62D1D77C99418F6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA

Strings

C:\Users\user\AppData\Roaming\Pinball\update, xrefs: 00402238

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Pinball\update
API String ID: 123533781-3810419145
Opcode ID: 33632eb9d2d55aaa42420cc03fede18144e517e278e294a30b7482181739d3ea
Instruction ID: 04de17d00a4dc4a8b41f7435a4088df82794450048cbc41f8bf7b2fd75c255b2
Opcode Fuzzy Hash: 33632eb9d2d55aaa42420cc03fede18144e517e278e294a30b7482181739d3ea
Instruction Fuzzy Hash: 7E511675A00208AFDF10DFE4C988A9D7BB5AF48314F2045AAF505EB2D1DA799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: b6c00e0e94478f12fd63b5c2aca1cdbca56b6e26543b3531c68661d346b4c890
Instruction ID: 3fa1d78f33bc5af05a97a61fc1c3a0e432ac7d90a4ef56d453e9603bce16c14e
Opcode Fuzzy Hash: b6c00e0e94478f12fd63b5c2aca1cdbca56b6e26543b3531c68661d346b4c890
Instruction Fuzzy Hash: 46F05532608100DBD710EBA48A08AFEB3689F11314FB0047BF002F20C1D6F88944DB3A

Uniqueness

Uniqueness Score: -1.00%

Function 00406BFE Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
Instruction ID: 7a70df28d47a3628ca1b0521c3a29fd1132f15960f4e2392888d2acdccabd480
Opcode Fuzzy Hash: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
Instruction Fuzzy Hash: 4BE18A71900709DFDB24CF58C880BAEBBF1FF45305F15842EE896A7291E738AA91CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004073D5 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
Instruction ID: 267aa099e2d25bcaaee6bbd59b652f1cfe254aeb6bd378defe50816dfd9dccfd
Opcode Fuzzy Hash: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
Instruction Fuzzy Hash: 12C13731E042199BCF18CF68D4905EEBBB2BF98314F25866AD856B7380D734B942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404E2F Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404E46
GetDlgItem.USER32(?,00000408), ref: 00404E53
GlobalAlloc.KERNEL32(00000040,?), ref: 00404EA2
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404EB9
SetWindowLongA.USER32(?,000000FC,00405442), ref: 00404ED3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EE5
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404EF9
SendMessageA.USER32(?,00001109,00000002), ref: 00404F0F
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404F1B
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F2B
DeleteObject.GDI32(00000110), ref: 00404F30
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F5B
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F67
SendMessageA.USER32(?,00001100,00000000,?), ref: 00405001
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00405031

Part of subcall function 0040445F: SendMessageA.USER32(00000028,?,00000001,0040428F), ref: 0040446D

SendMessageA.USER32(?,00001100,00000000,?), ref: 00405045
GetWindowLongA.USER32(?,000000F0), ref: 00405073
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00405081
ShowWindow.USER32(?,00000005), ref: 00405091
SendMessageA.USER32(?,00000419,00000000,?), ref: 0040518C
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051F1
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00405206
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 0040522A
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 0040524A
ImageList_Destroy.COMCTL32(?), ref: 0040525F
GlobalFree.KERNEL32(?), ref: 0040526F
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052E8
SendMessageA.USER32(?,00001102,?,?), ref: 00405391
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004053A0
InvalidateRect.USER32(?,00000000,00000001), ref: 004053CB
ShowWindow.USER32(?,00000000), ref: 00405419
GetDlgItem.USER32(?,000003FE), ref: 00405424
ShowWindow.USER32(00000000), ref: 0040542B

Strings

M, xrefs: 00404FE9
, xrefs: 00405403
N, xrefs: 004050CA

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: c1c194e9b9070287253358cafda237fff522e19e8e097677c2b12699a22d6652
Instruction ID: d499fac4ffa3b846b6f4258f5395dfa7d3bb3a3819381929755cf89923acce5f
Opcode Fuzzy Hash: c1c194e9b9070287253358cafda237fff522e19e8e097677c2b12699a22d6652
Instruction Fuzzy Hash: E9028CB0A00609AFDB209F94DD45AAF7BB5FB44314F50813AFA10BA2E0D7799D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403F30 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F6C
ShowWindow.USER32(?), ref: 00403F8C
GetWindowLongA.USER32(?,000000F0), ref: 00403F9E
ShowWindow.USER32(?,00000004), ref: 00403FB7
DestroyWindow.USER32 ref: 00403FCB
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FE4
GetDlgItem.USER32(?,?), ref: 00404003
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00404017
IsWindowEnabled.USER32(00000000), ref: 0040401E
GetDlgItem.USER32(?,00000001), ref: 004040C9
GetDlgItem.USER32(?,00000002), ref: 004040D3
SetClassLongA.USER32(?,000000F2,?), ref: 004040ED
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 0040413E
GetDlgItem.USER32(?,00000003), ref: 004041E4
ShowWindow.USER32(00000000,?), ref: 00404205
EnableWindow.USER32(?,?), ref: 00404217
EnableWindow.USER32(?,?), ref: 00404232
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404248
EnableMenuItem.USER32(00000000), ref: 0040424F
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404267
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 0040427A
lstrlenA.KERNEL32(0042A8B8,?,0042A8B8,00000000), ref: 004042A4
SetWindowTextA.USER32(?,0042A8B8), ref: 004042B3
ShowWindow.USER32(?,0000000A), ref: 004043E7

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: dd943b36bef5e6101a64a98db85f6916b7033b37facd6ac691b167c3a0268699
Instruction ID: cfe8d3d22397b66955926c3cfba744adcb70c974020a8b32e677ce7b32ac045c
Opcode Fuzzy Hash: dd943b36bef5e6101a64a98db85f6916b7033b37facd6ac691b167c3a0268699
Instruction Fuzzy Hash: 78C1E7B1604204ABDB316F66EE45E2B3A78FB94705F40053EF741B51F0CB7998929B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00404595 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404620
GetDlgItem.USER32(00000000,000003E8), ref: 00404634
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404652
GetSysColor.USER32(?), ref: 00404663
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404672
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404681
lstrlenA.KERNEL32(?), ref: 00404684
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404693
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004046A8
GetDlgItem.USER32(?,0000040A), ref: 0040470A
SendMessageA.USER32(00000000), ref: 0040470D
GetDlgItem.USER32(?,000003E8), ref: 00404738
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404778
LoadCursorA.USER32(00000000,00007F02), ref: 00404787
SetCursor.USER32(00000000), ref: 00404790
LoadCursorA.USER32(00000000,00007F00), ref: 004047A6
SetCursor.USER32(00000000), ref: 004047A9
SendMessageA.USER32(00000111,00000001,00000000), ref: 004047D5
SendMessageA.USER32(00000010,00000000,00000000), ref: 004047E9

Strings

N, xrefs: 00404726
B, xrefs: 00404794

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$B
API String ID: 3103080414-4074832742
Opcode ID: 4d05f5e0ef440667059b4acfea2602b31eb488a9e47853f73489c8b11a8fc1e8
Instruction ID: f74a572f32c1eabaa27ded338b34f9593036d5ac8179563e1bc88d7f54208024
Opcode Fuzzy Hash: 4d05f5e0ef440667059b4acfea2602b31eb488a9e47853f73489c8b11a8fc1e8
Instruction Fuzzy Hash: 1961C6B1A40209BFDB10AF61CD45F6A7B69FB84714F10843AFB057B1D1C7B8A951CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Setup Pinball 22,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Setup Pinball 22, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Setup Pinball 22
API String ID: 941294808-2336980834
Opcode ID: cb662b4f4839534f1e503674090c16ddf8ae81f728f075d0793f80a4b08fd510
Instruction ID: 3a3012abeb301a2a27237ef274a244925febb43b73cb3b1a1ba5aa4791300789
Opcode Fuzzy Hash: cb662b4f4839534f1e503674090c16ddf8ae81f728f075d0793f80a4b08fd510
Instruction Fuzzy Hash: 2E419C71800209AFCF058FA5DE459AF7FB9FF44314F00802AF991AA1A0C774EA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406016 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,004061A7,?,?), ref: 00406047
GetShortPathNameA.KERNEL32(?,0042C648,00000400), ref: 00406050

Part of subcall function 00405EA5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB5
Part of subcall function 00405EA5: lstrlenA.KERNEL32(00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EE7

GetShortPathNameA.KERNEL32(?,0042CA48,00000400), ref: 0040606D
wsprintfA.USER32 ref: 0040608B
GetFileSize.KERNEL32(00000000,00000000,0042CA48,C0000000,00000004,0042CA48,?,?,?,?,?), ref: 004060C6
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060D5
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040610D
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,0042C248,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406163
GlobalFree.KERNEL32(00000000), ref: 00406174
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040617B

Part of subcall function 00405F40: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe,80000000,00000003), ref: 00405F44
Part of subcall function 00405F40: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F66

Strings

%s=%s, xrefs: 00406081
[Rename], xrefs: 004060F5, 00406107

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: e602bdd9d32c47316c0f043e2c5c01b3ab384ce48114597be3de32aa163f2925
Instruction ID: 3e8574c39a0610ec67407c758a3b0be6a8c8f99fe29b991ef795125cbd817837
Opcode Fuzzy Hash: e602bdd9d32c47316c0f043e2c5c01b3ab384ce48114597be3de32aa163f2925
Instruction Fuzzy Hash: F33126316017167BC2306B699D49F2B3A5CDF45758F15003ABD42FA2C2DE7CE8228AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004054CE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A

Strings

4/@, xrefs: 00405514, 00405526

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: 4/@
API String ID: 2531174081-3101945251
Opcode ID: 23038f27ffa0ac85a098dbcc57426fb3d31c8aaa780897c3fdab36f90d014fb0
Instruction ID: 4b9143c85c3745f66eb79234941ef083dbb1be054dfbe47ff8ffe791c5f35d5f
Opcode Fuzzy Hash: 23038f27ffa0ac85a098dbcc57426fb3d31c8aaa780897c3fdab36f90d014fb0
Instruction Fuzzy Hash: F5219D71900518BBDB119FA5DD819DFBFB9EF09354F10807AF944B6290C7388E548F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040668B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(0000000B,*?|<>/":,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066E3
CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066F0
CharNextA.USER32(0000000B,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066F5
CharPrevA.USER32(0000000B,0000000B,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00406705

Strings

"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe", xrefs: 0040668B
C:\Users\user\AppData\Local\Temp\, xrefs: 0040668C
*?|<>/":, xrefs: 004066D3

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3028666007
Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction ID: ad50ec36196ae086b1f079829a382c2ab89d98dbc250fae59a25bbaada14e1cc
Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction Fuzzy Hash: 6711046180479169FB3207284C44B776F884F97764F19087FE8D2732C2CA7E5CA29A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402ED5
GetTickCount.KERNEL32 ref: 00402EF3
wsprintfA.USER32 ref: 00402F21

Part of subcall function 004054CE: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
Part of subcall function 004054CE: lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
Part of subcall function 004054CE: lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
Part of subcall function 004054CE: SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
Part of subcall function 004054CE: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A

CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
ShowWindow.USER32(00000000,00000005), ref: 00402F53

Part of subcall function 00402EA1: MulDiv.KERNEL32(?,00000064,?), ref: 00402EB6

Strings

#Vh%.@, xrefs: 00402F34
... %d%%, xrefs: 00402F1B

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%$#Vh%.@
API String ID: 722711167-1706192003
Opcode ID: befa2999037e7dacf8acf22525320a04b4604363a871a5f770e998e30c514811
Instruction ID: a0a68cef0ca481793848c2d9aefcb7cb5e5ecf8e4390e60164e55f5bd8f95203
Opcode Fuzzy Hash: befa2999037e7dacf8acf22525320a04b4604363a871a5f770e998e30c514811
Instruction Fuzzy Hash: 36018E70541221EBCB21BB50EF0CA5B367CAB00745B94003AF605B11E0D6F8894ADFEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404491 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004044AE
GetSysColor.USER32(00000000), ref: 004044EC
SetTextColor.GDI32(?,00000000), ref: 004044F8
SetBkMode.GDI32(?,?), ref: 00404504
GetSysColor.USER32(?), ref: 00404517
SetBkColor.GDI32(?,?), ref: 00404527
DeleteObject.GDI32(?), ref: 00404541
CreateBrushIndirect.GDI32(?), ref: 0040454B

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction ID: 2fec9bf24bc66026ef53c67dad773596a416ec909f357223c019effc5fa8433a
Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction Fuzzy Hash: CF2167B1500704EBCB319F68DD18B5BBBF4AF41714B04892EFAA6B26E0C738E544CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404D7D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D98
GetMessagePos.USER32 ref: 00404DA0
ScreenToClient.USER32(?,?), ref: 00404DBA
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DCC
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DF2

Strings

f, xrefs: 00404DCE

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: fe6a20cf2c11a788ccad747fd5f00ef64c02a9fce7e576cf88be79dcb12c2241
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: 66014871900219BADB00DBA8DD85BFEBBB8AF55B15F10016ABA41B61C0C6B499018BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
wsprintfA.USER32 ref: 00402E74
SetWindowTextA.USER32(?,?), ref: 00402E84
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96

Strings

unpacking data: %d%%, xrefs: 00402E62
verifying installer: %d%%, xrefs: 00402E69, 00402E72

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 5099d59064bf0d622706c43f384fe22f0e9d0c525a15326d4d650ee4aa82a6b2
Instruction ID: 2c2aa0c7049332f53b6d42298637789440614c7c2e4359aadf4d2442cb353dca
Opcode Fuzzy Hash: 5099d59064bf0d622706c43f384fe22f0e9d0c525a15326d4d650ee4aa82a6b2
Instruction Fuzzy Hash: B1F01D7054020DBBEF21AF60DE0ABAE3769AB14345F00803AFA06B51D0DBF899558B99

Uniqueness

Uniqueness Score: -1.00%

Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
GlobalFree.KERNEL32(?), ref: 004028A4
GlobalFree.KERNEL32(00000000), ref: 004028B7
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 2df3cb68b5dbc429f4f1c6a3098a75d6b21630ffe2b8286246b8db2eba0fa2f8
Instruction ID: 072e3b5d3c571983fced0d66139dcaa8d7c51a737b65702004a33dc82ef3b9c0
Opcode Fuzzy Hash: 2df3cb68b5dbc429f4f1c6a3098a75d6b21630ffe2b8286246b8db2eba0fa2f8
Instruction Fuzzy Hash: 1A316C32800128BBDF216FA5DE49D9E7B79AF08324F14423AF554B62E1CB794D419B68

Uniqueness

Uniqueness Score: -1.00%

Function 1000103F Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00100401,00000000,?,0000025E,?,00000000,?), ref: 10001054
EnumWindows.USER32(10001007,?), ref: 10001074
GetExitCodeProcess.KERNEL32(00000000,?), ref: 10001084
WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 1000109D
TerminateProcess.KERNEL32(00000000,00000000), ref: 100010AE
CloseHandle.KERNEL32(00000000), ref: 100010C5

Memory Dump Source

Source File: 00000000.00000002.2829821520.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2829797953.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2829836660.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2829851945.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_SecuriteInfo.jbxd

Similarity

API ID: Process$CloseCodeEnumExitHandleObjectOpenSingleTerminateWaitWindows
String ID:
API String ID: 3465249596-0
Opcode ID: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
Instruction ID: 6b4dcd5717a232181223c093e4f4244ae1ce1555a3c8e15b92772d9ea2fb9ae7
Opcode Fuzzy Hash: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
Instruction Fuzzy Hash: 5211E235A00299EFFB00DFA5CCC8AEE77BCEB456C5F014069FA4192149D7B49981CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: b743165f959946a4ccd9b25dfd89ff3ae47307fb0fa25d43bbc95ee673993e20
Instruction ID: 7635178ac91153ec690d33bbb3d07e4398e625bcf7d11104edb46be020a0d663
Opcode Fuzzy Hash: b743165f959946a4ccd9b25dfd89ff3ae47307fb0fa25d43bbc95ee673993e20
Instruction Fuzzy Hash: 24212B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AFA55B11A0D7B49EA49AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32(?,?), ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: de32b336c1ffdc66ac374c0ca9fff1b1f5d0d7551e6d5e34af7361189a15debb
Instruction ID: 27b1212a805eea3139c87a475943c4b4ab790071e569df717d046b8c5e7325cd
Opcode Fuzzy Hash: de32b336c1ffdc66ac374c0ca9fff1b1f5d0d7551e6d5e34af7361189a15debb
Instruction Fuzzy Hash: B5215A72E00109AFCF14DFA4DD85AAEBBB5EB48300F24407EF901F62A0DB389941DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B850), ref: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 15cf77a67f34936d3abac871dc2773a608caae73cb034566782e53c9d0023549
Instruction ID: 685b73550df4dfc38284db97e20d4fcba876ab7456e304ac105fd168e902647a
Opcode Fuzzy Hash: 15cf77a67f34936d3abac871dc2773a608caae73cb034566782e53c9d0023549
Instruction Fuzzy Hash: 46018072544248AEE7007BB1AF4AA9A7FE8E755305F108839F241B61F2CB780448CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404C73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B8E,000000DF,00000000,00000400,?), ref: 00404D11
wsprintfA.USER32 ref: 00404D19
SetDlgItemTextA.USER32(?,0042A8B8), ref: 00404D2C

Strings

%u.%u%s%s, xrefs: 00404CFB

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: fd4e6de80d7076eadaf05026f9996a105bc8a90ef5d6e2270e2ceec6d89389f4
Instruction ID: 80ef3aaef9c7940d6c9ce4e805d84fd1729c92a9eb25c0fff6ef42e4110b4dd6
Opcode Fuzzy Hash: fd4e6de80d7076eadaf05026f9996a105bc8a90ef5d6e2270e2ceec6d89389f4
Instruction Fuzzy Hash: B7110D7360812437E700666D9C42EAE3298DB85378F254237FE25F31D1DA78CC2242ED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 19a7777fe1495908293cc8df242e47f69f85fd711ccd5f7a82add7804c840abb
Instruction ID: d04047f7d872ba11913f05e2c7a8e30a40315ff7848647abde4a87fe257326fc
Opcode Fuzzy Hash: 19a7777fe1495908293cc8df242e47f69f85fd711ccd5f7a82add7804c840abb
Instruction Fuzzy Hash: 1B218571948208BEEB059FF5D986AAD7FB4EF44304F10447FF101B61D1D7B989819B18

Uniqueness

Uniqueness Score: -1.00%

Function 00405D3F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00405D45
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00405D4E
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D5F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405D3F

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction ID: 3965532e52c2964af4e4a5008f28a1982034686e92c93decc9c116211ffbf6ee
Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction Fuzzy Hash: 64D0A7621016307AD21126159C09ECF19088F02314B0A4027F540B6191C63C4C2287FD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DD8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,0000000B,00405E44,C:\,C:\,76233410,?,76232EE0,00405B8F,?,76233410,76232EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe"), ref: 00405DE6
CharNextA.USER32(00000000), ref: 00405DEB
CharNextA.USER32(00000000), ref: 00405DFF

Strings

C:\, xrefs: 00405DD9

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction ID: bf86ed20fb7b94292cf6712911d0d54b52c00300c187dbabdd3beb47ec0449aa
Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction Fuzzy Hash: 59F09671904F516AFB325764DC44B775B88DB99351F18447BD5C07A2C1C37C4A814FEA

Uniqueness

Uniqueness Score: -1.00%

Function 00405442 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405471
CallWindowProcA.USER32(?,?,?,?), ref: 004054C2

Part of subcall function 00404476: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404488

Strings

, xrefs: 00405452

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 92a9fd2b7c2ec255fefba8023c613c5f78be7de0a7b6046c5c0ea937018391f1
Instruction ID: cd94b52dfe26eb285e266741e60656ba327741ee1343d18e5777b23f1cc810fd
Opcode Fuzzy Hash: 92a9fd2b7c2ec255fefba8023c613c5f78be7de0a7b6046c5c0ea937018391f1
Instruction Fuzzy Hash: FC017171101A09AFEF209F11DD80BDB3666EB84356F544136FE04791E2C73D8CA29E2A

Uniqueness

Uniqueness Score: -1.00%

Function 00406294 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Local\Temp\setup.exe,0042A098,?,?,?,00000002,C:\Users\user\AppData\Local\Temp\setup.exe,?,0040654C,80000002), ref: 004062DA
RegCloseKey.ADVAPI32(?,?,0040654C,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,?,0042A098), ref: 004062E5

Strings

C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00406297, 004062CB

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID: C:\Users\user\AppData\Local\Temp\setup.exe
API String ID: 3356406503-3080675856
Opcode ID: a06636a21785f92a6ab7dc052d514d90bb4365a2268a51d0e95fcadfc93642b0
Instruction ID: 01dcb0f67e6ed75bb3d5fe412ec2f5c27d3211a9352167a32a014d0c2b7904db
Opcode Fuzzy Hash: a06636a21785f92a6ab7dc052d514d90bb4365a2268a51d0e95fcadfc93642b0
Instruction Fuzzy Hash: 10015E72500209AAEF228F55CD05FDB3BA8EF55354F01403AFD56A2190D374D968DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402FC8,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe,80000000,00000003), ref: 00405D8C
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402FC8,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe,C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe,80000000,00000003), ref: 00405D9A

Strings

C:\Users\user\Desktop, xrefs: 00405D86

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3125694417
Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction ID: 791fe6a49cce3cab353f7a30e3e4730565bbd32bb5c0eaa1a09902b3577b180c
Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction Fuzzy Hash: 5CD0A9A24089B06EF3436210CC08B8F6A88CF13301F0A84A3F480EA1A0C2BC4C428BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405EA5 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB5
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405ECD
CharNextA.USER32(00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EDE
lstrlenA.KERNEL32(00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EE7

Memory Dump Source

Source File: 00000000.00000002.2828860500.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2828842671.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828880938.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828899365.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2828994425.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: b323b191ad28fc2fdc0003cf04e9b2d3b97c0f6d09c02c1c7944b0fd21ce9d7a
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 78F0C231205814AFCB02DBA4DD0099FBBA8EF55350B2540B9E881F7211DA34DF01ABA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: setup.exePID: 7000, Parent PID: 1828COMMON

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1367
Total number of Limit Nodes:	26

Executed Functions

Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 004034EF
GetVersionExA.KERNEL32(?), ref: 00403518
GetVersionExA.KERNEL32(0000009C), ref: 0040352F
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
OleInitialize.OLE32(00000000), ref: 0040363C
SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\setup.exe",00000020,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,00000007,00000009,0000000B), ref: 004036A9
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403808
ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
ExitProcess.KERNEL32 ref: 004038D4
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403901
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,0041F910,00000001), ref: 0040399B
CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
ExitProcess.KERNEL32 ref: 00403A76

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00403675, 0040367B, 0040382A
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00403996
Error launching installer, xrefs: 0040386C
C:\Users\user\AppData\Local\Temp, xrefs: 00403906, 0040390B, 00403938
.tmp, xrefs: 004038FB
SeShutdownPrivilege, xrefs: 00403A0B
TEMP, xrefs: 004037E7
1033, xrefs: 00403803
UXTHEME, xrefs: 004035EC, 004035F1, 004035F7
Low, xrefs: 004037D5
C:\Users\user\AppData\Roaming\Pinball, xrefs: 00403891
\Temp, xrefs: 004037B9
A, xrefs: 0040356A
NSIS Error, xrefs: 00403660
C:\Users\user\AppData\Local\Temp\, xrefs: 00403797, 0040379C, 004037B2, 004037BE, 004037CD, 004037DA, 004037E6, 004037EE, 004038E4, 004038F5, 00403900, 0040390C, 00403919, 00403928, 004039DD
C:\Users\user\AppData\Roaming\Pinball, xrefs: 00403787, 00403886, 0040392F, 00403939
~nsu, xrefs: 004038DF
", xrefs: 004036CC
TMP, xrefs: 004037EF
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034E1

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "$"C:\Users\user\AppData\Local\Temp\setup.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2882342585-3954682163
Opcode ID: 912f83a836eb1fe613a791148bb63afd1bd4364e3d9f696fa0d110b9325e2922
Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
Opcode Fuzzy Hash: 912f83a836eb1fe613a791148bb63afd1bd4364e3d9f696fa0d110b9325e2922
Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,76233410,76232EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405B73
lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,76233410,76232EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BBB
lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,76233410,76232EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BDC
lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,76233410,76232EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BE2
FindFirstFileA.KERNELBASE(00421D58,?,?,?,0040A014,?,00421D58,?,?,76233410,76232EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BF3
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
FindClose.KERNEL32(00000000), ref: 00405CB1

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00405B53
\*.*, xrefs: 00405BB5

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$\*.*
API String ID: 2035342205-2643862536
Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69

Uniqueness

Uniqueness Score: -1.00%

Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(76233410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,76233410,?,76232EE0,00405B6A,?,76233410,76232EE0), ref: 0040670A
FindClose.KERNEL32(00000000), ref: 00406716

Strings

C:\, xrefs: 004066FF

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC

Uniqueness

Uniqueness Score: -1.00%

Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1

lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,76233410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403BE9
lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,?,?,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00000000,C:\Users\user\AppData\Roaming\Pinball,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,76233410), ref: 00403C5E
lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403C7C
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Pinball), ref: 00403CC5

Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3

RegisterClassA.USER32(00423EE0), ref: 00403D02
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403D85
GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
RegisterClassA.USER32(00423EE0), ref: 00403DC7
DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00403B71
RichEd20, xrefs: 00403D8B
1033, xrefs: 00403B8E, 00403BE4
Control Panel\Desktop\ResourceLocale, xrefs: 00403BA2
PB, xrefs: 00403B9A
_Nb, xrefs: 00403CE1, 00403D49
.DEFAULT\Control Panel\International, xrefs: 00403BD4
>B, xrefs: 00403CD4
RichEdit, xrefs: 00403DB8
.exe, xrefs: 00403C6B
RichEdit20A, xrefs: 00403DA9, 00403DAF
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, xrefs: 00403C2C, 00403C34, 00403C41, 00403C8B, 00403C91
C:\Users\user\AppData\Local\Temp\, xrefs: 00403B73
C:\Users\user\AppData\Roaming\Pinball, xrefs: 00403BF8, 00403C00, 00403C98, 00403C9E, 00403CAE
RichEd32, xrefs: 00403D99

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball\Pinball.exe$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
API String ID: 1975747703-2053783280
Opcode ID: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
Opcode Fuzzy Hash: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F70
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 00402F8C

Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00402FD5
GlobalAlloc.KERNELBASE(00000040,00000009), ref: 00403117

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00402F65
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
Error launching installer, xrefs: 00402FAC
Null, xrefs: 00403053
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
soft, xrefs: 0040304A
Inst, xrefs: 00403041
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3396534468
Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00000400), ref: 00406549
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe), ref: 004065A6
CoTaskMemFree.OLE32(00000000), ref: 004065B2
lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628

Strings

C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, xrefs: 00406445, 00406515, 00406516, 00406517, 00406533, 00406548, 0040655B, 00406577, 004065A2, 004065D5, 004065DB, 004065F3, 00406606, 00406621, 00406627, 0040662F, 00406659
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D0
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406518

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-847058561
Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00000000,00000000,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Strings

C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe, xrefs: 00401826, 00401842
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Roaming\Pinball, xrefs: 00401786

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball\Pinball.exe$C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe
API String ID: 1941528284-681098351
Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
GetLastError.KERNEL32 ref: 004059C6
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
GetLastError.KERNEL32 ref: 004059E5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405995
!9@, xrefs: 00405984

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: !9@$C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3408088068
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
wsprintfA.USER32 ref: 00406776
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A

Strings

\, xrefs: 0040674E
UXTHEME, xrefs: 0040672F
%s%s.dll, xrefs: 00406770

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69

Uniqueness

Uniqueness Score: -1.00%

Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
GlobalFree.KERNEL32(?), ref: 004028A4
GlobalFree.KERNEL32(00000000), ref: 004028B7
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Global$AllocFree$ChangeCloseDeleteFileFindNotification
String ID:
API String ID: 2989416154-0
Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68

Uniqueness

Uniqueness Score: -1.00%

Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F5E
GetTempFileNameA.KERNELBASE(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78

Strings

nsa, xrefs: 00405F55
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F4D

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1857211195
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798

Uniqueness

Uniqueness Score: -1.00%

Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020D0

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020E0
GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2

Strings

C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\, xrefs: 00403AB2
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\
API String ID: 2962429428-219582499
Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,76233410,?,76232EE0,00405B6A,?,76233410,76232EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040596F: CreateDirectoryA.KERNELBASE(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Pinball,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Pinball, xrefs: 00401631

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Pinball
API String ID: 1892508949-48148501
Opcode ID: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
Opcode Fuzzy Hash: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395

Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,76233410,?,76232EE0,00405B6A,?,76233410,76232EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,76233410,?,76232EE0,00405B6A,?,76233410,76232EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405E5B
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,76233410,?,76232EE0,00405B6A,?,76233410,76232EE0), ref: 00405E6B

Strings

C:\, xrefs: 00405E0E, 00405E13, 00405E19, 00405E54, 00405E5A, 00405E62, 00405E6A

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE

Uniqueness

Uniqueness Score: -1.00%

Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004068D9 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00403305 Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403319

Part of subcall function 00403484: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
SetFilePointer.KERNELBASE(155D076A,00000000,00000000,004138F8,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
RegSetValueExA.KERNELBASE(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68

Uniqueness

Uniqueness Score: -1.00%

Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
Opcode Fuzzy Hash: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679

Uniqueness

Uniqueness Score: -1.00%

Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EF6: GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
Part of subcall function 00405EF6: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F

RemoveDirectoryA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B1D
DeleteFileA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B25
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD

Uniqueness

Uniqueness Score: -1.00%

Function 004031FD Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040254E
RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
Opcode Fuzzy Hash: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
CloseHandle.KERNEL32(?), ref: 00405A57

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
GetProcAddress.KERNEL32(00000000,?), ref: 004067C1

Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
Part of subcall function 00406726: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
Opcode Fuzzy Hash: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C

Uniqueness

Uniqueness Score: -1.00%

Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734

Uniqueness

Uniqueness Score: -1.00%

Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0040BACB,0040B8F8,00403405,0040B8F8,0040BACB,004138F8,00004000,?,00000000,0040322F,00000004), ref: 00405FD6

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405F93 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,004138F8,0040B8F8,00403481,00000009,00000009,00403385,004138F8,00004000,?,00000000,0040322F), ref: 00405FA7

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Part of subcall function 00405A21: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C

Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
Opcode Fuzzy Hash: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405646
GetDlgItem.USER32(?,000003EE), ref: 00405655
GetClientRect.USER32(?,?), ref: 00405692
GetSystemMetrics.USER32(00000002), ref: 00405699
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
ShowWindow.USER32(?,00000008), ref: 00405735
GetDlgItem.USER32(?,000003EC), ref: 00405756
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
GetDlgItem.USER32(?,000003F8), ref: 00405664

Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448

GetDlgItem.USER32(?,000003EC), ref: 004057A7
CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
CloseHandle.KERNEL32(00000000), ref: 004057BC
ShowWindow.USER32(00000000), ref: 004057DF
ShowWindow.USER32(?,00000008), ref: 004057E6
ShowWindow.USER32(00000008), ref: 0040582C
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
CreatePopupMenu.USER32 ref: 00405871
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
GetWindowRect.USER32(?,000000FF), ref: 004058A6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
OpenClipboard.USER32(00000000), ref: 0040590B
EmptyClipboard.USER32 ref: 00405911
GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
GlobalLock.KERNEL32(00000000), ref: 00405924
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
GlobalUnlock.KERNEL32(00000000), ref: 00405951
SetClipboardData.USER32(00000001,00000000), ref: 0040595C
CloseClipboard.USER32 ref: 00405962

Strings

PB, xrefs: 004058D7

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: PB
API String ID: 590372296-3196168531
Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404E21
GetDlgItem.USER32(?,00000408), ref: 00404E2E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
DeleteObject.GDI32(00000110), ref: 00404F0B
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C

Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448

SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
GetWindowLongA.USER32(?,000000F0), ref: 0040504E
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
ShowWindow.USER32(?,00000005), ref: 0040506C
SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
ImageList_Destroy.COMCTL32(?), ref: 0040523A
GlobalFree.KERNEL32(?), ref: 0040524A
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
ShowWindow.USER32(?,00000000), ref: 004053F4
GetDlgItem.USER32(?,000003FE), ref: 004053FF
ShowWindow.USER32(00000000), ref: 00405406

Strings

N, xrefs: 004050A5
, xrefs: 004053DE
M, xrefs: 00404FC4

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
ShowWindow.USER32(?), ref: 00403F67
GetWindowLongA.USER32(?,000000F0), ref: 00403F79
ShowWindow.USER32(?,00000004), ref: 00403F92
DestroyWindow.USER32 ref: 00403FA6
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
GetDlgItem.USER32(?,?), ref: 00403FDE
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
IsWindowEnabled.USER32(00000000), ref: 00403FF9
GetDlgItem.USER32(?,00000001), ref: 004040A4
GetDlgItem.USER32(?,00000002), ref: 004040AE
SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
GetDlgItem.USER32(?,00000003), ref: 004041BF
ShowWindow.USER32(00000000,?), ref: 004041E0
EnableWindow.USER32(?,?), ref: 004041F2
EnableWindow.USER32(?,?), ref: 0040420D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
EnableMenuItem.USER32(00000000), ref: 0040422A
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
SetWindowTextA.USER32(?,00420D50), ref: 0040428E
ShowWindow.USER32(?,0000000A), ref: 004043C2

Strings

PB, xrefs: 0040426F

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: PB
API String ID: 1860320154-3196168531
Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
GetSysColor.USER32(?), ref: 0040463E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
lstrlenA.KERNEL32(?), ref: 0040465F
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
GetDlgItem.USER32(?,0000040A), ref: 004046E5
SendMessageA.USER32(00000000), ref: 004046E8
GetDlgItem.USER32(?,000003E8), ref: 00404713
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
LoadCursorA.USER32(00000000,00007F02), ref: 00404762
SetCursor.USER32(00000000), ref: 0040476B
LoadCursorA.USER32(00000000,00007F00), ref: 00404781
SetCursor.USER32(00000000), ref: 00404784
SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4

Strings

N, xrefs: 00404701
6B, xrefs: 0040476F

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$6B
API String ID: 3103080414-649610290
Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
GetShortPathNameA.KERNEL32(?,00422AE0,00000400), ref: 0040602B

Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2

GetShortPathNameA.KERNEL32(?,00422EE0,00000400), ref: 00406048
wsprintfA.USER32 ref: 00406066
GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 004060A1
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
GlobalFree.KERNEL32(00000000), ref: 0040614F
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156

Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

Strings

.B, xrefs: 0040603D
%s=%s, xrefs: 0040605C
.B, xrefs: 00406044
*B, xrefs: 00406010
[Rename], xrefs: 004060D0, 004060E2

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]$*B$.B$.B
API String ID: 2171350718-3836630945
Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004048E6
SetWindowTextA.USER32(00000000,?), ref: 00404910
SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
CoTaskMemFree.OLE32(00000000), ref: 004049CC
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00420D50), ref: 004049FE
lstrcatA.KERNEL32(?,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe), ref: 00404A0A
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C

Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95

Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
Part of subcall function 00406666: CharNextA.USER32(0000000B,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0

GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5

Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07

Strings

A, xrefs: 004049BA
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, xrefs: 004049F8, 004049FD, 00404A08
C:\Users\user\AppData\Roaming\Pinball, xrefs: 004049E7
PB, xrefs: 00404994

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball\Pinball.exe$PB
API String ID: 2624150263-2203346535
Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D

Uniqueness

Uniqueness Score: -1.00%

Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
SetWindowTextA.USER32(00420530,00420530), ref: 00405517
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Strings

4/@, xrefs: 004054EF, 00405501

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: 4/@
API String ID: 2531174081-3101945251
Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(0000000B,*?|<>/":,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
CharNextA.USER32(0000000B,?,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
CharPrevA.USER32(0000000B,0000000B,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00406666
*?|<>/":, xrefs: 004066AE
C:\Users\user\AppData\Local\Temp\, xrefs: 00406667

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2501437094
Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402ED5
GetTickCount.KERNEL32 ref: 00402EF3
wsprintfA.USER32 ref: 00402F21

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
ShowWindow.USER32(00000000,00000005), ref: 00402F53

Part of subcall function 00402EA1: MulDiv.KERNEL32(00000000,00000064,000001D3), ref: 00402EB6

Strings

... %d%%, xrefs: 00402F1B
#Vh%.@, xrefs: 00402F34

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%$#Vh%.@
API String ID: 722711167-1706192003
Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE

Uniqueness

Uniqueness Score: -1.00%

Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404489
GetSysColor.USER32(00000000), ref: 004044C7
SetTextColor.GDI32(?,00000000), ref: 004044D3
SetBkMode.GDI32(?,?), ref: 004044DF
GetSysColor.USER32(?), ref: 004044F2
SetBkColor.GDI32(?,?), ref: 00404502
DeleteObject.GDI32(?), ref: 0040451C
CreateBrushIndirect.GDI32(?), ref: 00404526

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
GetMessagePos.USER32 ref: 00404D7B
ScreenToClient.USER32(?,?), ref: 00404D95
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD

Strings

f, xrefs: 00404DA9

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
wsprintfA.USER32 ref: 00402E74
SetWindowTextA.USER32(?,?), ref: 00402E84
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96

Strings

unpacking data: %d%%, xrefs: 00402E62
verifying installer: %d%%, xrefs: 00402E69, 00402E72

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99

Uniqueness

Uniqueness Score: -1.00%

Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
wsprintfA.USER32 ref: 00404CF4
SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07

Strings

PB, xrefs: 00404CDE
%u.%u%s%s, xrefs: 00404CD6

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$PB
API String ID: 3540041739-838025833
Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8

Uniqueness

Uniqueness Score: -1.00%

Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
Opcode Fuzzy Hash: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32(?,?), ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18

Uniqueness

Uniqueness Score: -1.00%

Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,76233410,?,76232EE0,00405B6A,?,76233410,76232EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
CharNextA.USER32(00000000), ref: 00405DC6
CharNextA.USER32(00000000), ref: 00405DDA

Strings

C:\, xrefs: 00405DB4

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA

Uniqueness

Uniqueness Score: -1.00%

Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA

Strings

C:\Users\user\AppData\Roaming\Pinball, xrefs: 00402238

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Pinball
API String ID: 123533781-48148501
Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040544C
CallWindowProcA.USER32(?,?,?,?), ref: 0040549D

Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463

Strings

, xrefs: 0040542D

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00420530,?,?,?,00000002,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,00406527,80000002), ref: 004062B5
RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,00420530), ref: 004062C0

Strings

C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, xrefs: 00406272, 004062A6

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CloseQueryValue
String ID: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
API String ID: 3356406503-1868761164
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D67
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D75

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00405D61

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 2709904686-1104044542
Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2

Memory Dump Source

Source File: 00000003.00000002.2812279060.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.2812257110.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812294465.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812312785.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000042E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000431000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000043E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000044C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.0000000000453000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.2812655082.000000000045A000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 500, Parent PID: 7000COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	43
Total number of Limit Nodes:	4

Executed Functions

Function 067E2F88 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331ecaa0b4f339b6fdc8d6af10dfe37bc87d14072fa9767296fd675a38aca3f5
Instruction ID: 87d373295bc1c602d5c0b654d405cf0d465a8bcdb8a0971f70ef2c808b6143cb
Opcode Fuzzy Hash: 331ecaa0b4f339b6fdc8d6af10dfe37bc87d14072fa9767296fd675a38aca3f5
Instruction Fuzzy Hash: 86225A74A00609DFDB54CFA9C4906AEB7F2FF88310F24851AE946EB354DB35AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F9D3E0 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02F9D46E
GetCurrentThread.KERNEL32 ref: 02F9D4AB
GetCurrentProcess.KERNEL32 ref: 02F9D4E8
GetCurrentThreadId.KERNEL32 ref: 02F9D541

Memory Dump Source

Source File: 00000006.00000002.2586012651.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f90000_Pinball.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: fa48715de23f0ee975672cd03a210eae9fe44a8aeb19c736a6d328743e4cc4f5
Instruction ID: 9d39052c5eb7787e1f91a7582453657529036c3b67a08b096814f90f0c90eda6
Opcode Fuzzy Hash: fa48715de23f0ee975672cd03a210eae9fe44a8aeb19c736a6d328743e4cc4f5
Instruction Fuzzy Hash: 185177B0D00709CFEB54EFA9D548BAEBBF1EF88314F248459E508A7360D7389945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02F9D3F0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02F9D46E
GetCurrentThread.KERNEL32 ref: 02F9D4AB
GetCurrentProcess.KERNEL32 ref: 02F9D4E8
GetCurrentThreadId.KERNEL32 ref: 02F9D541

Memory Dump Source

Source File: 00000006.00000002.2586012651.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f90000_Pinball.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f071744aa1ba341fb2c7ebfcf9453a3e8eeea67642a9872eca606fae432e3ac6
Instruction ID: 02906c0eb1a29420fecef9ca7c3b0c60c44987db995a97154b8874739cad38df
Opcode Fuzzy Hash: f071744aa1ba341fb2c7ebfcf9453a3e8eeea67642a9872eca606fae432e3ac6
Instruction Fuzzy Hash: EF5155B0900709CFEB54DFAAD548BAEBBF1FF88314F248459E109A7360DB346945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05AA7158 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2882598598.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5aa0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab456d4fa318636b0f5589db627a99712b94a27c5a19f5f344d2a8c071c3d84
Instruction ID: a8c53d3f43dc866136da3535e11d86878d75499f6ba3bfb2488c8552c1be156c
Opcode Fuzzy Hash: 6ab456d4fa318636b0f5589db627a99712b94a27c5a19f5f344d2a8c071c3d84
Instruction Fuzzy Hash: 7C412272E043598FDB00CFB9D80079EBBF5EF89210F19856AD405A7251EB789841CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02F9D630 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F9D6BF

Memory Dump Source

Source File: 00000006.00000002.2586012651.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f90000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7451034b8fa3eecd6c37afcaf9de6b34fa16d9eae2d938235e33829c666c66f5
Instruction ID: b4539881bdd707624a31a1cd57b349195bf54ad95acab47e682b8c4094ee3920
Opcode Fuzzy Hash: 7451034b8fa3eecd6c37afcaf9de6b34fa16d9eae2d938235e33829c666c66f5
Instruction Fuzzy Hash: 762119B5D002089FDB10DFAAD984ADEBFF8FB48710F14841AE918A3310D374A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F9D638 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F9D6BF

Memory Dump Source

Source File: 00000006.00000002.2586012651.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f90000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a1fb165c2c47331ada4b345c41cea4669c3ae5d16776a9e094b05259b47abffd
Instruction ID: b2a20d84cf369e2e6f388921c3f61657cd4ee7b25dfb26424591fbc49cf30e91
Opcode Fuzzy Hash: a1fb165c2c47331ada4b345c41cea4669c3ae5d16776a9e094b05259b47abffd
Instruction Fuzzy Hash: B721E4B5D002489FDB10CFAAD984ADEBBF8EB48310F14841AE918A7350D378A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02F9D1BF Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 02F9E090

Memory Dump Source

Source File: 00000006.00000002.2586012651.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f90000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: e1fa2ad0a3c9686af39189a7ecf43de34b2ded88f5444a3f00ff9b7f94c71a6f
Instruction ID: b0c54475febc31c30622335815c3754edbce10b0400debcad543c40b13fda760
Opcode Fuzzy Hash: e1fa2ad0a3c9686af39189a7ecf43de34b2ded88f5444a3f00ff9b7f94c71a6f
Instruction Fuzzy Hash: 1E2156728003499FDB20DF9AD848BDEBFF8EF48720F14845AE958A7251D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F9E020 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 02F9E090

Memory Dump Source

Source File: 00000006.00000002.2586012651.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f90000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a011971fc0931a78244c56369ff94ad7775d4099948b5d6d934c9267abab7e85
Instruction ID: b5ac6d667d3e63672580487f54df2af06edf605215ad18668720004eaa82570e
Opcode Fuzzy Hash: a011971fc0931a78244c56369ff94ad7775d4099948b5d6d934c9267abab7e85
Instruction Fuzzy Hash: DD1179718003099FDB20DF9AD844BDEFBF4FB48310F108419E558A3650D338A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F9D1CC Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 02F9E090

Memory Dump Source

Source File: 00000006.00000002.2586012651.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2f90000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 7a10a2b77293910ab747f88e4f225b7e25066b417e7cccf2c9e9af6766b6c593
Instruction ID: b50fd2862cc47edf79337574222d9eca8996f68ab35c764769cc5dd3c3ef7d9a
Opcode Fuzzy Hash: 7a10a2b77293910ab747f88e4f225b7e25066b417e7cccf2c9e9af6766b6c593
Instruction Fuzzy Hash: 251149719007499FDB20DF9AD844BDEBFF4FB48710F10841AE958A7250D374A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05AA7240 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 05AA72A7

Memory Dump Source

Source File: 00000006.00000002.2882598598.0000000005AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5aa0000_Pinball.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3ab08faf2a3d58af00273ddca1dafa7aaec83abfc07d2cee9a5ebf66482e745e
Instruction ID: bcb990a0f6fd4bdd7ed8da419cb0a64c2cf3222dafcaecf13b88af7789ee6b96
Opcode Fuzzy Hash: 3ab08faf2a3d58af00273ddca1dafa7aaec83abfc07d2cee9a5ebf66482e745e
Instruction Fuzzy Hash: 371112B1C0065A9FDB10DF9AD444BDEFBF4AF48720F15812AE818A7240D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 067E24B0 Relevance: 1.5, Strings: 1, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

], xrefs: 067E2C11

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: fa0fed48a5f872ecc0f4748a6a154842e3bde6972d557d2066a46af6b34b9263
Instruction ID: fad9fe87e51768013a96d5bf5432d7830b2f25b8d58ef50c999da5f87fee91c4
Opcode Fuzzy Hash: fa0fed48a5f872ecc0f4748a6a154842e3bde6972d557d2066a46af6b34b9263
Instruction Fuzzy Hash: 2581F530B04249DFCF51DF74C8949AE7BFAEF89300B14846AE516DB256DA30DE4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 067E4F18 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd8a4ed73a736473e42a82ec9a5ba54d985eb2dbab011946419c7e4a3470223
Instruction ID: 73be86e64594b8abad6b0bc3f6d24a0da27c0db76eb691022a080711e28ea4af
Opcode Fuzzy Hash: fcd8a4ed73a736473e42a82ec9a5ba54d985eb2dbab011946419c7e4a3470223
Instruction Fuzzy Hash: 47225E34A10219CFEB54DFA4D894AAE77B2FF88314F248158E906AB365DB31EC55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 067E1010 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed6c9b8a7694df43cc947b7b9ba8aa91b0f8e531d313547044069f5ecea6b86
Instruction ID: 1237c32c65d991a996a3cdd5badbe077fcf5220dfb9fac5a11abf62f38492384
Opcode Fuzzy Hash: 0ed6c9b8a7694df43cc947b7b9ba8aa91b0f8e531d313547044069f5ecea6b86
Instruction Fuzzy Hash: 3391BC34B102109FEB54CFA9C895B6EBBFABF8C610F548169E906DB391DA31DC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 067E7D59 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcda78c0b05fac9c3d1618dca246177a7076cba848d1f7dbef342afea66c8c93
Instruction ID: bb5b01b616a363299080614ab00e76fff9959cb2ecd15c56620cd440f46cc6e1
Opcode Fuzzy Hash: fcda78c0b05fac9c3d1618dca246177a7076cba848d1f7dbef342afea66c8c93
Instruction Fuzzy Hash: 39518434704B418FE7688729C48477EB7B2EB8D705F14C81AD543CB696D6B8E84ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 067E5D68 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4cf9c581132b1fa5e2802305d2d7d3e8da74482bfa76df9b72e7f70d1e8bae
Instruction ID: 71e033ffab8afbe0a496bdd0bdfc3396a6aab60c93a36f6a791fcf0a23587d17
Opcode Fuzzy Hash: 4d4cf9c581132b1fa5e2802305d2d7d3e8da74482bfa76df9b72e7f70d1e8bae
Instruction Fuzzy Hash: FD519E71A001099FDB54CFA4D894ABFBBBAFF88314F14802AEA15D7251DB31E955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 067E625F Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63289a21c3ce1d28cb26c33f92db15fef9c0f005e292d140307d57bce213183
Instruction ID: 9c40227bf2671a30d759467fe8ac6db2fc2f71b189a83856cbfeb196056dda42
Opcode Fuzzy Hash: e63289a21c3ce1d28cb26c33f92db15fef9c0f005e292d140307d57bce213183
Instruction Fuzzy Hash: 90515C34700710CFD7649B29D498A3EB7F6FBA8705B11C82ED543C764ADB74E88A8B81

Uniqueness

Uniqueness Score: -1.00%

Function 067E1300 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec591024b5b18fd0015d653434569c9d683e9aebc90ba18ace8095ea17cd109
Instruction ID: ab973e67019182c81a2f5d0f939f9a2f13ca3e1bba9ae5256406814b07189fa7
Opcode Fuzzy Hash: fec591024b5b18fd0015d653434569c9d683e9aebc90ba18ace8095ea17cd109
Instruction Fuzzy Hash: F8513635B20214CFCB48DF69D89996DB7B6FF89B1475581AAE506CB361DB30EC08CB90

Uniqueness

Uniqueness Score: -1.00%

Function 067E0BAB Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 222ec63c382801f8585f2a6a8f612d6ee996e9ced27812ab44bc89ec88e58df8
Instruction ID: 87075f629f23b8685783abb50d2e7b1fe3830680823c54b8835e87b66cc1bf6d
Opcode Fuzzy Hash: 222ec63c382801f8585f2a6a8f612d6ee996e9ced27812ab44bc89ec88e58df8
Instruction Fuzzy Hash: 06518E35A10208DFCB45EFA8D8849EDBBB6FF89300F11416AE502EB361DB319949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 067E5511 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b203e94e29f2d2ecd78a2fb6fcecd464ce791181451ce513f44b90766621bb50
Instruction ID: bf01b9dc2059364ca59858a2287841825859df80689de119238a9d9aa04c34d2
Opcode Fuzzy Hash: b203e94e29f2d2ecd78a2fb6fcecd464ce791181451ce513f44b90766621bb50
Instruction Fuzzy Hash: EA512835A10109DFEB54CFA0D958EAE7BB2FF48308F208118F902A7261DB329D55CF61

Uniqueness

Uniqueness Score: -1.00%

Function 067E4F09 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b593f611f63d7d88ef15297b466083415298c5aea737e2ccbf747e233cd4ff16
Instruction ID: 55add8c9a082ba0c451fee1d8dc2ceff41fb322877758c494cee6aa69761b1a8
Opcode Fuzzy Hash: b593f611f63d7d88ef15297b466083415298c5aea737e2ccbf747e233cd4ff16
Instruction Fuzzy Hash: 75414F35910209DFEF55CFA0D998AEEBBB2FF48304F244529E901A7265D7329C55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 067E2C00 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7b93e588b97b36693d2be41a2526ed479e43338768728e134507d860087dd0
Instruction ID: f4c96dfeb2f190b25e133bc4dbaddfb4911533137bece3215fa0133b4ccc4cdd
Opcode Fuzzy Hash: 5e7b93e588b97b36693d2be41a2526ed479e43338768728e134507d860087dd0
Instruction Fuzzy Hash: C13187347043008FE7688738D4547BE73BDEF09310F34856BE626CBAA3CAA9D9498381

Uniqueness

Uniqueness Score: -1.00%

Function 067E57E8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca1ef18bed0c7def26919a746ffab7ee24b9048b772c4284bfcefa36d9e41ab
Instruction ID: 513d235b89971cf5b38bf8f946d46257e0905d78acb8fb867479b53b076522e8
Opcode Fuzzy Hash: 4ca1ef18bed0c7def26919a746ffab7ee24b9048b772c4284bfcefa36d9e41ab
Instruction Fuzzy Hash: E741B171A14249CFEB54CB68C5907FEBBF1AF89318F0881A9D145EB382C6769948CB60

Uniqueness

Uniqueness Score: -1.00%

Function 067E09D9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6226eb408ef56985caa81cc6ec6e9add7dfbe25b5db15608a18e0ddf0564961e
Instruction ID: 43090f17c6522b96fa36fa807fe9e3ad3819f57884d56400f34231c25e976184
Opcode Fuzzy Hash: 6226eb408ef56985caa81cc6ec6e9add7dfbe25b5db15608a18e0ddf0564961e
Instruction Fuzzy Hash: 26310431F002189FDB559B68C4586AE7FF2AFCD700F24406AE405EB366DEB59C0ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 067E8950 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e2c28e6bf512a36d6d582205356242c0d0c89489656223a3e271b1bd0f200b
Instruction ID: a29e49a7e036cc8ac2aca976e14cffea1ce8c16a58232187d93d8469a2146621
Opcode Fuzzy Hash: 46e2c28e6bf512a36d6d582205356242c0d0c89489656223a3e271b1bd0f200b
Instruction Fuzzy Hash: C831FB38B00205CFCB55EB69D544BEEBBF2EB89310F10856AD41657395DB3A6C46CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 067E0FE0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7838fdcaaccff6c6c1f1fecb716de2ca31937cde4971c5fb5f92e3d2efdfec2a
Instruction ID: c993634fc33ba94da0d718d1d1fd641217b46a9369e23c17514483d59ef3fcb6
Opcode Fuzzy Hash: 7838fdcaaccff6c6c1f1fecb716de2ca31937cde4971c5fb5f92e3d2efdfec2a
Instruction Fuzzy Hash: 7C21C431E143449FCB65CF699C81BEEBFF1AF8D210F18416AE504E7281D6358959CB91

Uniqueness

Uniqueness Score: -1.00%

Function 067E8827 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c254cac7f51abbe98c23cd4482a92b9b0d435bc42fd30e4777861ecd466369d
Instruction ID: e9b177d76abcd620986fed599687a4c114735408880b338278debad690f12ffb
Opcode Fuzzy Hash: 5c254cac7f51abbe98c23cd4482a92b9b0d435bc42fd30e4777861ecd466369d
Instruction Fuzzy Hash: 21314F38A10200CFC355DF69E5999A97BF2FF88711B15C06AE81ACB361CB35AC41CF41

Uniqueness

Uniqueness Score: -1.00%

Function 067E8838 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c168e0dd0f7519e837595e5a97aad1bd93601fba4dd0c985faf64d3a4ddb05
Instruction ID: f4aad4e236073891b0561fc60fa132265a28d4ab6e7e167a719fd3de42f57b50
Opcode Fuzzy Hash: 76c168e0dd0f7519e837595e5a97aad1bd93601fba4dd0c985faf64d3a4ddb05
Instruction Fuzzy Hash: 7F312938A11204CFC354EF69E599969BBF2FF88711B15C0A9E91A8B361CB34EC41CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0154D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2556411601.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_154d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e7d24bb76a4a7bd94545a3ef872defa20b55679b49ed3d86bca7e6c3a3f095
Instruction ID: 9ce1a123b86ce68d3c9e9acdd5bd233a1532748771ec0d4ad5ce66130c6291f9
Opcode Fuzzy Hash: f0e7d24bb76a4a7bd94545a3ef872defa20b55679b49ed3d86bca7e6c3a3f095
Instruction Fuzzy Hash: 5B213172104204DFDB11DF58D984B2ABBB5FB94328F24C9A9E90D0F242D37AD447CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0154D1CC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2556411601.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_154d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80846d667a3a7e3fc42aa736f5b0b844d0abb59fb2741fe2f022303dc0e25fc8
Instruction ID: 7ce44c12d12fcb606d10742620d4051fe2574b05d40a8cafe740900a93674c68
Opcode Fuzzy Hash: 80846d667a3a7e3fc42aa736f5b0b844d0abb59fb2741fe2f022303dc0e25fc8
Instruction Fuzzy Hash: 7E214975608304EFDB01DF94D5C0B1ABBB1FB94728F24C9ADE8094F246C336D406CA61

Uniqueness

Uniqueness Score: -1.00%

Function 067E0400 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee67b1829320c6ef9491bafab5eed66d02e5bbec62f1b60c913a00f39f1a653
Instruction ID: 2deb3ceb24df1e6046880a0492a99133b4c0f073d4b02505a2bac4723102c2d8
Opcode Fuzzy Hash: 1ee67b1829320c6ef9491bafab5eed66d02e5bbec62f1b60c913a00f39f1a653
Instruction Fuzzy Hash: 0E113672A0E3C09FD347CB2898746B9BFA09FAB22070D40DBD084CB263D6249C08C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 067E1D90 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431647301036d14b5542f24454ff45f060f01d12d878f7521d3dbdc95c6fc16b
Instruction ID: 2022d4c78406cb8727158338dbbec07651ee550bfa80b21547c8b77a2339b330
Opcode Fuzzy Hash: 431647301036d14b5542f24454ff45f060f01d12d878f7521d3dbdc95c6fc16b
Instruction Fuzzy Hash: D211B730608A108FF7645F24E0197757BB6EB49742F50C81FE147C6A5BCBB19A8C8BD2

Uniqueness

Uniqueness Score: -1.00%

Function 067E2656 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd99e74912d58b06fbf28dd557cf12b44e0ead92f28f97e45a707b0e1c56dc2
Instruction ID: 3c134178f0c1544a6250036f7f2bd44c592bf726e13159c51cc62773268f5e09
Opcode Fuzzy Hash: 4bd99e74912d58b06fbf28dd557cf12b44e0ead92f28f97e45a707b0e1c56dc2
Instruction Fuzzy Hash: CC210871A0010ADFDF45DF94D884AAE7BB6BF8C340F148115F921A7661EB30DA65DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0154D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2556411601.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_154d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9409425b538432de5fb3468f684cba1ff8b999b2cec3de05dd219cfab2b18c7e
Instruction ID: c00fc0d29c0b139eef91de9dff8bd3527c679f291c0036229061cf10e778b6b2
Opcode Fuzzy Hash: 9409425b538432de5fb3468f684cba1ff8b999b2cec3de05dd219cfab2b18c7e
Instruction Fuzzy Hash: 3921A1755093848FCB13CF24D99471ABF71FB86214F29C1EAD8498F653C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 067E1DA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799a80521dd6fc3551d9818b24d70988c8d37413b7c172dbaae6ba0c58835e52
Instruction ID: 7e4b651429e758cda7abd8bda891fb29153f301ade128d312973b0b397c9a5f5
Opcode Fuzzy Hash: 799a80521dd6fc3551d9818b24d70988c8d37413b7c172dbaae6ba0c58835e52
Instruction Fuzzy Hash: 84115730708A10CFF7985F14D029779B7B6AB88742F50C81EE107C6A5ACBB59E4C9BD5

Uniqueness

Uniqueness Score: -1.00%

Function 067E8A61 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92615559e1396be25f2daf2bc3e563e08100c4e3c9c7e015187f98857115f2e2
Instruction ID: af60b9a5e5cea67b9b9c9ce3e59c1dedcaac961a6702caf8a401efdd4bcc9dbb
Opcode Fuzzy Hash: 92615559e1396be25f2daf2bc3e563e08100c4e3c9c7e015187f98857115f2e2
Instruction Fuzzy Hash: FA115E38700206CFDB54EB65D554B2AB7A2EBC8304F10C56AD4420B395CF7AAC86CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0154D1C7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2556411601.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_154d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21f20f9b933fcfff6280cc061701e95e78f5f46405777b46ba0931fd6c09a03
Instruction ID: e33f8c3c5cb5ba15324dc70c7424e27c04aa3eea3977493d2d550d83c6b9743e
Opcode Fuzzy Hash: c21f20f9b933fcfff6280cc061701e95e78f5f46405777b46ba0931fd6c09a03
Instruction Fuzzy Hash: 2D11BB75508284DFDB02CF54D5C4B19BBB1FB84328F24C6A9E8094F257C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 067E8688 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e8c5b821f036da6dd6861e1310f753decd670654b49b068176b49bbf91fa12
Instruction ID: 7714e510c057ac8e43e6d985ad49c3099014032d1ffbc831875879e050094834
Opcode Fuzzy Hash: 46e8c5b821f036da6dd6861e1310f753decd670654b49b068176b49bbf91fa12
Instruction Fuzzy Hash: B3018F3460E3C48FC303AB20D9658A13FB5AB47344B0A80E7E094CF2B3C6289D4AD763

Uniqueness

Uniqueness Score: -1.00%

Function 067E0448 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f56d87036d5eca70b0da2e3f8bef59e9d380f16e4346badb00c930066e135b5
Instruction ID: 4365241a09fd48ce50ff05046fb0acfde3dc371d5d0114b7b42e943b1a66dba1
Opcode Fuzzy Hash: 3f56d87036d5eca70b0da2e3f8bef59e9d380f16e4346badb00c930066e135b5
Instruction Fuzzy Hash: 8EF082757051049FD359CA0DD4A8B7EBBE9EB8E370B18406AE909C7350DF72AC41C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 067E049C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2ed84f7fbef0ca9fa763fe8307bbb91997e9d40f8fc276c1a8d6ea84657e24
Instruction ID: 18d7b7d9f1c3d2cf408bfa5a0a969336652a22dd6270fac53d32fdd36a63fe8b
Opcode Fuzzy Hash: 7d2ed84f7fbef0ca9fa763fe8307bbb91997e9d40f8fc276c1a8d6ea84657e24
Instruction Fuzzy Hash: 12F02EA2B0E1408FE34A4728A47833D7B90DFAB300B0C40EFC646CF261DB569855C395

Uniqueness

Uniqueness Score: -1.00%

Function 067E8678 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d39927dc81ccd77cd07d68e912a56eb7dfbc129da7ed1b343ab51f858915b74
Instruction ID: e4f2db641f9aeec02d16537d56e4261977476c2e2d4c13420dd5a5b08a7621fb
Opcode Fuzzy Hash: 7d39927dc81ccd77cd07d68e912a56eb7dfbc129da7ed1b343ab51f858915b74
Instruction Fuzzy Hash: DFF03038615244CFD306EB10EA55CB13BF9EB4A384B0584AAE8558F273C734AD45DB52

Uniqueness

Uniqueness Score: -1.00%

Function 067E6231 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32bd099c2194172793c27cec602c4a78fbf0e0dc0e10baa30de0d34c09d99c51
Instruction ID: 428decaffb08f10311e2e06900511547b91413ee26b47c756c37baeadb0c72b4
Opcode Fuzzy Hash: 32bd099c2194172793c27cec602c4a78fbf0e0dc0e10baa30de0d34c09d99c51
Instruction Fuzzy Hash: 15D0A7A1E1E2E04BDB42575429103493BAA4BEB180B1A44C7E049D318AD4548C844755

Uniqueness

Uniqueness Score: -1.00%

Function 067E21C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2977568011.00000000067E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_67e0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f74fe47f39739ed6ba62193d1160ddabe1c98db00b09f938abf2d326b073f8
Instruction ID: 59387407b8472499f34b58fb991e4efd5cb42405d2d929af25d43157db9ad133
Opcode Fuzzy Hash: 14f74fe47f39739ed6ba62193d1160ddabe1c98db00b09f938abf2d326b073f8
Instruction Fuzzy Hash: 61B0920640A3C02EC25355203C638D22FA954235913070683E081B5463800A064982A1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 6080, Parent PID: 500COMMON

Executed Functions

Function 01634F58 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1f6cc0ab8ed0968398938ce3ea2fe7b44148823abca7e69157ec15f92c984d
Instruction ID: 91f84a25a0e939d7a394d32046e38d19db0d8fe549a107c92e956ab378fa71e3
Opcode Fuzzy Hash: 0b1f6cc0ab8ed0968398938ce3ea2fe7b44148823abca7e69157ec15f92c984d
Instruction Fuzzy Hash: 23E18F70B00219CFDB09DFA9D8546ADBBF2BFC8311F248169D906AB394DB359C42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01631049 Relevance: .8, Instructions: 841COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b581515de608333fdd5cfdb2520d3bfca8507fc50c6b114d6aaaf5cd63ec0e2
Instruction ID: 655256c5594e6d985910663414b16210d6fef9aa552ada0201af5b0486d891fa
Opcode Fuzzy Hash: 7b581515de608333fdd5cfdb2520d3bfca8507fc50c6b114d6aaaf5cd63ec0e2
Instruction Fuzzy Hash: 6C82817470010AEBEB06DFA8E568B6E7B73EB98300F244058E901337A5CE396D55DB76

Uniqueness

Uniqueness Score: -1.00%

Function 01631058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d82f68355e552c035b91328794c639baf116132ddba0e6d06891a8109f7976
Instruction ID: 355a1a36ff29bb1a1aaf3ee5a584bcf243c74c9a49000507585f3a40d068b9f9
Opcode Fuzzy Hash: f1d82f68355e552c035b91328794c639baf116132ddba0e6d06891a8109f7976
Instruction Fuzzy Hash: 0782817470010AEBEB06DFA8E568B6E7B73EB98300F244058E901337A5CE396D55DB76

Uniqueness

Uniqueness Score: -1.00%

Function 0163B0B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384353f8f0a7ff18909d301df4708b680cd6bd5f17a2f8bb5f059c1304f94108
Instruction ID: 2397581903b83ee2466e9a790208035b9e3d4f8582b1b809d36efc99b5381a61
Opcode Fuzzy Hash: 384353f8f0a7ff18909d301df4708b680cd6bd5f17a2f8bb5f059c1304f94108
Instruction Fuzzy Hash: 1A522634B01201DFDB19EF28E858A6D7BB3FB89701B688469D8069B365DF35EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01633BE0 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3193ef0a60a70f5ed23e91876048043ab2c8611641c8646729c628e2e6b4c9d
Instruction ID: fc180193c921b19e7d19e2f46978073de4a94519f0fdbdc322b1ca4ae8865442
Opcode Fuzzy Hash: e3193ef0a60a70f5ed23e91876048043ab2c8611641c8646729c628e2e6b4c9d
Instruction Fuzzy Hash: F9F18E74B00205DFDB09DF69D864A6EBBA7EFD9300B148069E506AB3A5CF359C41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 016338C4 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a6e535f3faec74e481b90766ed9f9656f262f957abcac6a01afd5ca16e85c7
Instruction ID: d6d5e52bfd479c3753d37f62e4238189d468ad2ab818362208d9d6ad2d1e4321
Opcode Fuzzy Hash: c0a6e535f3faec74e481b90766ed9f9656f262f957abcac6a01afd5ca16e85c7
Instruction Fuzzy Hash: 10B12C74B00119EFDB05DFA9E864AAE7BB6FFD8310F144119E906A73A4DB359C41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01635640 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1d22c42d80c6273d2a13c716f121fe21ad305d23ed99482aa68643281e8157
Instruction ID: 40dddec47a2762092afbaf65c4eac8200e3e64c032a788d783fc8126f1a3bfc8
Opcode Fuzzy Hash: fc1d22c42d80c6273d2a13c716f121fe21ad305d23ed99482aa68643281e8157
Instruction Fuzzy Hash: 6C81AD70B01215CFDB09DF69E954A6EBBF6AFC9600B25806AE506E7365CF30DD06CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0163BB99 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39c1391f7c98f0279da7a3242d0390d8e2199c6fc9a6a4cfb12cf6466c01d3d
Instruction ID: 814397be02fc2ee667f924ce04fdc4ec04beaefcd2d4ae0281f927c25b1c4c37
Opcode Fuzzy Hash: a39c1391f7c98f0279da7a3242d0390d8e2199c6fc9a6a4cfb12cf6466c01d3d
Instruction Fuzzy Hash: 7881C070602206DFEB10DB2CF989D59BBB2FB98785B148568D9068B235CF39EC49DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0163385A Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea6e7aa0e07b52fda6e7fdfd2274e60f7a2f62d8c7f164b22434c22ebc84703
Instruction ID: 2d3633dbf0da1c9d419e5e3e64b567afd1c2821511aa8e4954a37ce23ac56b33
Opcode Fuzzy Hash: eea6e7aa0e07b52fda6e7fdfd2274e60f7a2f62d8c7f164b22434c22ebc84703
Instruction Fuzzy Hash: F5613D74B01219EFDB09DFA9E9A4AADBBB2FF8C310F148019E905A7364DB359C41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01635A91 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab456c9dda6b77a0542c73d194be9ab7b20232c892e77a32addfeb98f6856dbf
Instruction ID: c5c267011844726b3a1dea61974bc29893326bb5f04392fbb0aa5148a993c7bd
Opcode Fuzzy Hash: ab456c9dda6b77a0542c73d194be9ab7b20232c892e77a32addfeb98f6856dbf
Instruction Fuzzy Hash: DE511775B002068FCB08DF69D994A6ABBF6FF8D210B1141A9E506DB365DB31EC01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01635240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2b2430ac50bf2ad74a7b72ad23b851a154df3198f9ee2b899c3b3b55b57711e
Instruction ID: 34dc9d517b32e55e65732431800240eb8875c9d710e2f3b95ff2b8d5af2e8f97
Opcode Fuzzy Hash: b2b2430ac50bf2ad74a7b72ad23b851a154df3198f9ee2b899c3b3b55b57711e
Instruction Fuzzy Hash: 6C513E70A01218DFDB14DFA9D894AADBBF2FFC8711F148069E806A7364DB35AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01633904 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deac0d9b404213ab723908779fb7a4cad6c3f258a3c867d3620e081f1c085be1
Instruction ID: cad089b19edd60ecb38b859e00ce75109d7d302c548164df9560890d9556c5e3
Opcode Fuzzy Hash: deac0d9b404213ab723908779fb7a4cad6c3f258a3c867d3620e081f1c085be1
Instruction Fuzzy Hash: 02410B74B01119EFDB05DFA8E864AADBBB6FF8C310F244019E905A7365CB359C51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0163BEAF Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c095b035811d42f8a99e0acab9a60d10a53adbfd2fba47da8b45ceb238aea247
Instruction ID: e4f5ebddc53ecf0bc748e814d8a35bd012303449d076ac6f9bedfb60c1b4f378
Opcode Fuzzy Hash: c095b035811d42f8a99e0acab9a60d10a53adbfd2fba47da8b45ceb238aea247
Instruction Fuzzy Hash: BA413B747006058FC744DF6ED898A6EBBE6BF99B10B2581ADE406DB3B5CA71DC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 01632850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2595509aa5cb766e7e8d11c7ce78ef0723b34a24452acf1b4191b5f032c325e
Instruction ID: 27a80d59523da2cba965cee475c8bc5f0b5755a65f43c1730d2127652df74d89
Opcode Fuzzy Hash: d2595509aa5cb766e7e8d11c7ce78ef0723b34a24452acf1b4191b5f032c325e
Instruction Fuzzy Hash: 5D41D474A01209DFDB15EFA9E894AADBBB2FF89340F144529D902AB264DF359C41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01632B10 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768061862109723005676025746809b4f1a46c1b13e1071d50fbb7c1c3034a8d
Instruction ID: 958838e7d23df695641794b66164edb8c68f90ef67267db4fc68542e79dca43d
Opcode Fuzzy Hash: 768061862109723005676025746809b4f1a46c1b13e1071d50fbb7c1c3034a8d
Instruction Fuzzy Hash: 5F310374702215CFC709DB39E4A4A2A77A3EBC9A50769816AD0069B3A5DE36DC43CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0163BEC0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67712f99f80a08146f123ec7e7aa0b25f64ceb8c1a700d9b99180ccfc4ef30fb
Instruction ID: 6369b0af5b3f10dfcddd3ba1450fb476dc3320ad04858b41c2b32fa3f6577245
Opcode Fuzzy Hash: 67712f99f80a08146f123ec7e7aa0b25f64ceb8c1a700d9b99180ccfc4ef30fb
Instruction Fuzzy Hash: FD313B747005058FC744DF6ED498A2EBBE6BF99B10B2580ADE506DB3B5CA71DC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 01635308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db34256f3eda6c80030b060a622d4952466986db772c8f74214d9ff1fc32649d
Instruction ID: 3f42c79a6098a48b91e3811ed4e2d011608d8f5624252035e8e9c83dac1c5dbd
Opcode Fuzzy Hash: db34256f3eda6c80030b060a622d4952466986db772c8f74214d9ff1fc32649d
Instruction Fuzzy Hash: 2641FA75B01114DFDB08DFA9E8989ADBBB3FFC8311B248069E806A7364DB349C42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01632842 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d375e87ac0ed7c5cb10d43c0f8f77a9a83acde668821d99c607fc33af727bc5
Instruction ID: fea93327b0887c129e4d6dfd02061e75b575d4692eb3eeb257d00f33297e7de4
Opcode Fuzzy Hash: 0d375e87ac0ed7c5cb10d43c0f8f77a9a83acde668821d99c607fc33af727bc5
Instruction Fuzzy Hash: C7313B70A01209DFDB19EFA9E8946EDBBB2FFC9340F144129D502A7254DF355946CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0163B0A0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce363544544e9794c6a1e413c2a130bde28bacb5790f1de103b66ad8940ac29d
Instruction ID: a0df783548f5a96b06e29d24f98a7079c1402f11060d5b1046ccf158b5f26c0a
Opcode Fuzzy Hash: ce363544544e9794c6a1e413c2a130bde28bacb5790f1de103b66ad8940ac29d
Instruction Fuzzy Hash: 9631EF70A00209DBDB14DB79E8596ADBBB2FFD5300F48852ED6069B361DF71AD058B80

Uniqueness

Uniqueness Score: -1.00%

Function 01633750 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b6ad1e9a3af7ab787378bcd25c645b95f064e391507cbc6e9c7792b11326ac
Instruction ID: adb6346d7c5865f1dad21d136b7a1ab2137b05873ae093c14d7d5d5814e81974
Opcode Fuzzy Hash: 98b6ad1e9a3af7ab787378bcd25c645b95f064e391507cbc6e9c7792b11326ac
Instruction Fuzzy Hash: 7E217B317042544FD31EAB7A681013E37E3EBCE520328826ED906D73E5DE288C0783E6

Uniqueness

Uniqueness Score: -1.00%

Function 01632C48 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf977f2c6d938ffee3b26a274db9812a0a4691a5b8e075aec558c6817fc21f3
Instruction ID: 51098580f83b414079e22eedeac93789b934f2f73faa8cdbaba04abb81a9bc5f
Opcode Fuzzy Hash: abf977f2c6d938ffee3b26a274db9812a0a4691a5b8e075aec558c6817fc21f3
Instruction Fuzzy Hash: 6E41FE74A0020ACFDB05DFA8E998AEE7BB1FF98310F144569D505A7360DB355D81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01634B50 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c594ed263d060df4891863aa5da64ad6661358bcd8c21f384f888f804552e018
Instruction ID: cfdf0a48a63e6c0eb3351e7cba077b320eade3812dcc931dd27bad603f60e0a6
Opcode Fuzzy Hash: c594ed263d060df4891863aa5da64ad6661358bcd8c21f384f888f804552e018
Instruction Fuzzy Hash: ED21F9312052439FD706EF79EC60A5D7B62FFD5700B088A1ED5058F269DF71AE098791

Uniqueness

Uniqueness Score: -1.00%

Function 01632C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05eca7515bda01005f070ec6c786e6d05727449357d706420c432b3c332d7f18
Instruction ID: 6107ab5922786703aa5152a42683743cc4717f69fcbc69838c181e59f2a5938e
Opcode Fuzzy Hash: 05eca7515bda01005f070ec6c786e6d05727449357d706420c432b3c332d7f18
Instruction Fuzzy Hash: 2831EA74A0020ADFDB14DFA8E9986EEBBB1FB98310F144169D501A7364DF396D81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0163288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15274be41aafef9a8ef5d1fc8d2bb79c1efce9a6213f213c09f14c5cee2a074a
Instruction ID: 49b03bd31fabd33d23b3792d9681458badcb30910f49d1b88c19ef231d34c67e
Opcode Fuzzy Hash: 15274be41aafef9a8ef5d1fc8d2bb79c1efce9a6213f213c09f14c5cee2a074a
Instruction Fuzzy Hash: 8631E974A01209DFDB19DFA9E9A46ADBBB2FFC9340F14412ED902A7254DF355845CB20

Uniqueness

Uniqueness Score: -1.00%

Function 01634B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4aab64484beb3bc5cfdc57c44251041ed4192c84031dc30692711e681b336c8
Instruction ID: 92f5192e61396013250362aef344cbfc6d2bb09e6f3c5fee09e6ecdaee396b82
Opcode Fuzzy Hash: c4aab64484beb3bc5cfdc57c44251041ed4192c84031dc30692711e681b336c8
Instruction Fuzzy Hash: 9521D5312002039BD709EB3AF850A5EB7A7FFD5710B088A2DD5058B268DF71AD498BD4

Uniqueness

Uniqueness Score: -1.00%

Function 01632908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890cfbfa22e772413383094c3afb3b4c8025bb058df8d687dc8e323e7debe14a
Instruction ID: a4dc8acc6c5eab801ed36c0c1480e8b2a850a1e4afd3799bef8b0174bac2901c
Opcode Fuzzy Hash: 890cfbfa22e772413383094c3afb3b4c8025bb058df8d687dc8e323e7debe14a
Instruction Fuzzy Hash: F021E674E00209DFDB15DFAAE8A4AADBBB2FFC9340F14812AD911A7264DB355841CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01635C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc862eff8b8607f4907504b707621cd1430c894acce989b15ac4e7333f53d700
Instruction ID: 81b66a7aa08bed0ad1b07ca11b9b884fccd26845595b72afe19ed2c27e0b20e0
Opcode Fuzzy Hash: bc862eff8b8607f4907504b707621cd1430c894acce989b15ac4e7333f53d700
Instruction Fuzzy Hash: 9C214D35A00218CFDB10CB99D998ADDBBF1AF8C314F200199D506BB361DB759D44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01634237 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909342abdfbd38597c5fa494b3a179b66829a4f16125abbff1dacc550041c92b
Instruction ID: 6407174ce928d26d427d068764ff3b8086a8f44be2f4ae699c0d679ccc18b7b9
Opcode Fuzzy Hash: 909342abdfbd38597c5fa494b3a179b66829a4f16125abbff1dacc550041c92b
Instruction Fuzzy Hash: AF116B323091808FD30ADB7968242AD3BA3EFC6A10348469FC481DBB51CF39990AC795

Uniqueness

Uniqueness Score: -1.00%

Function 01636888 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af5d1ca3eca626b235c70c4d8f6e817438b11210a8c6b7793ef716de4d27258
Instruction ID: aa5dafb6d95883556f67f5410b60e63923f54c1af09023d1d12d0607e85f8988
Opcode Fuzzy Hash: 4af5d1ca3eca626b235c70c4d8f6e817438b11210a8c6b7793ef716de4d27258
Instruction Fuzzy Hash: E6218471900206DFDB14DFA9CD487EDBBF1FF85304F118469D015AB291CB769A05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0163296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74720d231a423306bb8dc925aa239ca56a2d8f126bca6d6a39fa5f04f999669c
Instruction ID: 4c169644dd7f733f89c38da9eadbfadaff5d3bb782a57409e091eaa2be7772ea
Opcode Fuzzy Hash: 74720d231a423306bb8dc925aa239ca56a2d8f126bca6d6a39fa5f04f999669c
Instruction Fuzzy Hash: 9A21E274A0120CDFDB14DFA9E994A9CBBB2FF89300F24412AE905AB364DB34AD41CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01635C5A Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc5d6f96a9bb85022818bb650e8258a87e63a74670e38014f67cb7fe4ac2e68
Instruction ID: 874e2fefe015e6459fbb7fcc9af8bcf4c23f10ca59b58bd51c4e94c6bb2fb12b
Opcode Fuzzy Hash: 6fc5d6f96a9bb85022818bb650e8258a87e63a74670e38014f67cb7fe4ac2e68
Instruction Fuzzy Hash: 0C215C31A00218CFDB11CBA9C998BDDBBF1AF8C314F240199D102BB361CB759D85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 016341A2 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f22e8fd25c68bf755f3537680fc75ddeefbe92967cf021f01385d54a1122cc
Instruction ID: 97ff6218d80e315dd1128b8451733d2aa5b6aadece19d90fda3bf442762b6daa
Opcode Fuzzy Hash: 19f22e8fd25c68bf755f3537680fc75ddeefbe92967cf021f01385d54a1122cc
Instruction Fuzzy Hash: 9101683220A3815FD30AAB766C6019E3FA6FFCA520368498FD401DB391CF311E0AC766

Uniqueness

Uniqueness Score: -1.00%

Function 016332E0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49396b43b4a08ed67532bf0d9c4abafc8f23d72cf971f4bf5356a95325d0d9b0
Instruction ID: 2f4938f2db394b1a631a2d301bc64fc742a39e5e089d3f7b510a041fcaefefec
Opcode Fuzzy Hash: 49396b43b4a08ed67532bf0d9c4abafc8f23d72cf971f4bf5356a95325d0d9b0
Instruction Fuzzy Hash: 59113C35A021408FCB08EFB8F96CB9D7BB2ABDD301F044429D402A7394DF3959A5CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01635940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7da2ec0300b69f41d59b3546a6416f37608b294e35b0f8a6eecf04f6e12f9f5
Instruction ID: f723eb80b7f3ffb2c9c9208d0e61b196dcfdffacef8af3644ea6a8165f9220ac
Opcode Fuzzy Hash: a7da2ec0300b69f41d59b3546a6416f37608b294e35b0f8a6eecf04f6e12f9f5
Instruction Fuzzy Hash: A30181B63011109F8714EA6EF498829B7A6FFDE665311857EE606C7314CE319C02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01632A80 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04fa18b1352ff94bba59e644eedcf2efa88d08c5aac55dfecc109442638867f2
Instruction ID: 1e9c7b1913f4c98e439613827ecb04fd4956641415391660b8d13809bd2106d1
Opcode Fuzzy Hash: 04fa18b1352ff94bba59e644eedcf2efa88d08c5aac55dfecc109442638867f2
Instruction Fuzzy Hash: 8E015A756106018FC311DF79D91589BBBF1FF85A103148A9ED146DB725DB31EC188F90

Uniqueness

Uniqueness Score: -1.00%

Function 016332F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d4bca843337071432ab2afc1a0f33f12583b2c7e921375f647933d4283eeca
Instruction ID: 2b549017a0366ca0768f2386b202d86a2e921e205890bd9932e75cc9ab56893f
Opcode Fuzzy Hash: 58d4bca843337071432ab2afc1a0f33f12583b2c7e921375f647933d4283eeca
Instruction Fuzzy Hash: 38014C38A062448BDB08FBB8F96C79EBBB2EBDD301F004428D40297384DF395895CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01635931 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96db7b9d63647a6d2f84f97b3b00e42eb0bbede4a20f17719f2a1e8012763430
Instruction ID: e125ca1683616f368ee4aa61998a65d6219558c31cf258904e5ea94ebdefe45e
Opcode Fuzzy Hash: 96db7b9d63647a6d2f84f97b3b00e42eb0bbede4a20f17719f2a1e8012763430
Instruction Fuzzy Hash: 52F0AF763022108FC715EF29E494819BBB6EFDB65531589AEE405CB365DA30DC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0163638A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e3517908b83eb596c050f253ca72f34fdac71de1dbeca8c8e61b5a57fda9b8
Instruction ID: 652dff91275bf8d00c787f110b23998ab993cf4dc6f126e661c800514d02937e
Opcode Fuzzy Hash: 59e3517908b83eb596c050f253ca72f34fdac71de1dbeca8c8e61b5a57fda9b8
Instruction Fuzzy Hash: 61F04F70A01209EFCF40EFB9E95059DBBF1FFAA200B21469DD805E7255DB312E15DB62

Uniqueness

Uniqueness Score: -1.00%

Function 016341E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77cc5e993061f444732471e76ed0b086f470da51022eb0071f265e41d5ffd4c1
Instruction ID: 9e92dda1ff453550bf7bb7256d3b61fe55277a81b8a188b25256d475a916e71b
Opcode Fuzzy Hash: 77cc5e993061f444732471e76ed0b086f470da51022eb0071f265e41d5ffd4c1
Instruction Fuzzy Hash: BEE02BB63051166F9748BAA77C5096F769FFBCDA60754482EE109D7304CF322C0087B5

Uniqueness

Uniqueness Score: -1.00%

Function 01632D92 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35df0bbe20f979d4e4acf3c646c5e308c72b115f24d8623092f771d4cfbd4126
Instruction ID: 478f09369d42bd24ca868a3830b410d499298bf39ade3bbebc994c0a2e688730
Opcode Fuzzy Hash: 35df0bbe20f979d4e4acf3c646c5e308c72b115f24d8623092f771d4cfbd4126
Instruction Fuzzy Hash: 55F03471E100188FCB84EFACC905AD97BF0EF49300B1141A9D51AE7321E7319A218B91

Uniqueness

Uniqueness Score: -1.00%

Function 01636398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74cb3566740008c7cf332ab0ea33072474de80aa25137ccfb2c73ba3cb5f3d6a
Instruction ID: 7cb5b840d484672e55e34ff3b2ea49192f6ae1aaf7350928e53a3ee1f5889afd
Opcode Fuzzy Hash: 74cb3566740008c7cf332ab0ea33072474de80aa25137ccfb2c73ba3cb5f3d6a
Instruction Fuzzy Hash: B9F05874A01209EF8B40EFB9E94455DBBF5EF99200F6086A99808A7354EB312E019B52

Uniqueness

Uniqueness Score: -1.00%

Function 01631FF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db696e0a1547602d43c4612785c36f24bac36f1d1cd63fedcf9b45f2f9029bac
Instruction ID: 407c279da1628aaa2c6f7a3a5129948a8f472ba5f590808b936567ea4cc50d2e
Opcode Fuzzy Hash: db696e0a1547602d43c4612785c36f24bac36f1d1cd63fedcf9b45f2f9029bac
Instruction Fuzzy Hash: FDE092393462408FCB159B79E8688893BE5EFCE21530904E6E105CB731CA359D21C720

Uniqueness

Uniqueness Score: -1.00%

Function 01632DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81efd8de1b58ac881043bae193c89ba0f5c20b85e6e22c13d62b8225956a1caf
Instruction ID: 1c17cc0ab1207e41fd7e985ba71435c3e9a56bc2d8d78534c2126d7960d235d8
Opcode Fuzzy Hash: 81efd8de1b58ac881043bae193c89ba0f5c20b85e6e22c13d62b8225956a1caf
Instruction Fuzzy Hash: 7EE06D71E101188F8B84EFBDD5046DE7BF4EF48210B1040BAD50AE3310EB309D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 0163374E Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6dd0cedddd278346b36938d9f693e873114cb71155f53a896ef2dc9ed93540
Instruction ID: 8d5bc2b333cbc8a58f4cb4a5704d7e8be852ae2ebf6993f645a84d4496905c6a
Opcode Fuzzy Hash: cf6dd0cedddd278346b36938d9f693e873114cb71155f53a896ef2dc9ed93540
Instruction Fuzzy Hash: E1D0C27670001047873A4A2DB60447A26A7EBC8521318412AED09C7328EF70CD065394

Uniqueness

Uniqueness Score: -1.00%

Function 016366C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a2ce4351d757a04c4d32f8462993ddc1debeed1680ac05cfa199579089794a
Instruction ID: 03729c0b02d804efb5dc36730a7b8870f436ce872486f47bf63b57341b9258a8
Opcode Fuzzy Hash: 79a2ce4351d757a04c4d32f8462993ddc1debeed1680ac05cfa199579089794a
Instruction Fuzzy Hash: FFD05E3171A2A09F8705A75CB8504987BE5EE8FA2230905EBF101DF35ACA609C1593A2

Uniqueness

Uniqueness Score: -1.00%

Function 01636469 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1497044c134bc77bfec1b36e3dd77aa0921f7ae225239dc31e16c6d69d34f3c5
Instruction ID: 5486158881a6f9c3d1e6ce07d27b7eadddf889791bcd2b60cd20a88b2ebf8206
Opcode Fuzzy Hash: 1497044c134bc77bfec1b36e3dd77aa0921f7ae225239dc31e16c6d69d34f3c5
Instruction Fuzzy Hash: DCD05E787542008FC704CB68D2949143BB6EF9E31171605AAE109CF375CF74DC42C719

Uniqueness

Uniqueness Score: -1.00%

Function 01635631 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c02798363facb17adefca8009e3f86ecf659f757d16029649fa9c37ce1f943
Instruction ID: 58dce07dbfb25fceedd4bf2f69ac6f48b7bb2c4e848114dfa338c5ab432a817b
Opcode Fuzzy Hash: 49c02798363facb17adefca8009e3f86ecf659f757d16029649fa9c37ce1f943
Instruction Fuzzy Hash: 18D0A7305151804BDB02477CEC656523F75DE6751130C09C59C449B226D521907BA311

Uniqueness

Uniqueness Score: -1.00%

Function 01636478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2556433147.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1630000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f9d47dc63840fe0428e3805d3fae6a540e5505290ce84b9a4aa81593156a76
Instruction ID: 8b390d9b83e2e79302c07fb25f023540b5689b23ce81ce186bd14c92300963d3
Opcode Fuzzy Hash: e8f9d47dc63840fe0428e3805d3fae6a540e5505290ce84b9a4aa81593156a76
Instruction Fuzzy Hash: 2CC012343802088F8208DB6CE09482933EAEBCD71032001A8E609CB335CE21EC828A18

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 4552, Parent PID: 500COMMON

Executed Functions

Function 02704F58 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4809f31e8f597c0f50d13cd3fa3c468db3a7f33a9ea50058f9dca23376799ff8
Instruction ID: 75e7518f05297e819e644b5a867d131ee91e832cbd8a30010a9cea6dd0c9e148
Opcode Fuzzy Hash: 4809f31e8f597c0f50d13cd3fa3c468db3a7f33a9ea50058f9dca23376799ff8
Instruction Fuzzy Hash: 72E14E30A00214DFDB08DF69D4946AEBBF3BF88314F648169D905AB394DB359D46CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02701058 Relevance: 2.1, Strings: 1, Instructions: 835COMMON

Download Yara Rule

Strings

(m, xrefs: 02701EBA

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID: (m
API String ID: 0-2330744541
Opcode ID: af067406becf22c793b3d8fb95db65e927467ece33a951c8596e3d79fc26cb3b
Instruction ID: e90fdd8ab955f95df102fffa0e5bb09746a0d31b7186aea6fe88c5554ce5a07a
Opcode Fuzzy Hash: af067406becf22c793b3d8fb95db65e927467ece33a951c8596e3d79fc26cb3b
Instruction Fuzzy Hash: B0823C7860060AEBEB06FFA4E564B6E7B77EB88300F244458E90137399CB756D51DF22

Uniqueness

Uniqueness Score: -1.00%

Function 0270B0B0 Relevance: 1.9, Strings: 1, Instructions: 680COMMON

Download Yara Rule

Strings

D@, xrefs: 0270B742

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID: D@
API String ID: 0-2222373746
Opcode ID: ba1452bbe11f46349bd0f788abaa1de6c0f750d53935cbac657b223ac8c66dd7
Instruction ID: 20a6720fd327f89a4bb87318513753d3f503ea1b0a8872effd0a023f41c9e774
Opcode Fuzzy Hash: ba1452bbe11f46349bd0f788abaa1de6c0f750d53935cbac657b223ac8c66dd7
Instruction Fuzzy Hash: 29528A34A01601CFC719EF35E498A2D77B2FB84309B2495A9D4269F3A9CBB5ED85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02703BE0 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd518b9848e27884250d7b35f4d1b419289a35ab335748220e06365b0eb5734
Instruction ID: d8862d97954363b3a35ea084f85b2993bcccb138926670a13eef630f8c674e92
Opcode Fuzzy Hash: dfd518b9848e27884250d7b35f4d1b419289a35ab335748220e06365b0eb5734
Instruction Fuzzy Hash: 19F14E34700205DFEB05AF69D8A46AE7BF7EBC9310F148099E906EB3A5DF359C458B60

Uniqueness

Uniqueness Score: -1.00%

Function 0270385B Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0f5eaeeb6a9a938a931166f301bba9fcd043cad7d8ac4b3ddcfd883d61fd0c
Instruction ID: 789672d3648d5959ad7510dbbfcaea40fcfdc3e99de020576a7446469ccdcbd1
Opcode Fuzzy Hash: 5a0f5eaeeb6a9a938a931166f301bba9fcd043cad7d8ac4b3ddcfd883d61fd0c
Instruction Fuzzy Hash: F6C11E34B00215EFDB05EFA8D8A4AAE7BF7EF88310F144159E905A73A5DB359C45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02705640 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6f9e1c3e8b87353fd5e9c611701fef368800d5b9a52916c565c426bc8ddf16
Instruction ID: 7a259052780ba883cd9714ec3094ba75b315ae728bff6e5a6c0e404530bac53a
Opcode Fuzzy Hash: 1c6f9e1c3e8b87353fd5e9c611701fef368800d5b9a52916c565c426bc8ddf16
Instruction Fuzzy Hash: 8F717B70B00204DFE704DF69D494AAEBBF6AF89210B648069E906E73A1DF30ED06CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0270BB99 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c0735d2e3918e3cdf54616223416c89cf727d14dd00882c3189c8c244b1eac
Instruction ID: 4af12a30d19c90e2526e9ea2fc4ece71cc032810b5445da9f5dc279648b2a2b3
Opcode Fuzzy Hash: e3c0735d2e3918e3cdf54616223416c89cf727d14dd00882c3189c8c244b1eac
Instruction Fuzzy Hash: 19810978601602CFC712EF24E989E6ABBB2FB44305B15D5A9D1258F369CBB0ED49DF40

Uniqueness

Uniqueness Score: -1.00%

Function 02705A91 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452b2159338251a56a4be3a590fb0bef284c7a2566e68276d4f77417ce438f10
Instruction ID: 76b3947f71802bc2548feef5c7f99475a325927671b5ac5de0f9849961f0998c
Opcode Fuzzy Hash: 452b2159338251a56a4be3a590fb0bef284c7a2566e68276d4f77417ce438f10
Instruction Fuzzy Hash: 3C513BB4B00206CFDB04DF68D594A6EBBF6FF89214B5141A9E505DB361DB31EC05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02705240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500deed125bed8223a3b5972e817cbba41901f6f96878f2d8d70b9d6db10487c
Instruction ID: 00e3eb9d0dd9470e86777f7a0438e4cab54deb5c75e48832ce16474c246f2a8b
Opcode Fuzzy Hash: 500deed125bed8223a3b5972e817cbba41901f6f96878f2d8d70b9d6db10487c
Instruction Fuzzy Hash: E5512A31A00218DFDB14DFA5D494AAEB7F3BF88715F548069E805AB3A4DB74AC45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02702850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676393a6c0fb85f6afdda311f72cb360eb1eadbe4159edc5d061f225f0533457
Instruction ID: 2427540420e6575138123772318a08a6081ddcec72e96952ed60c5ca5d2efad2
Opcode Fuzzy Hash: 676393a6c0fb85f6afdda311f72cb360eb1eadbe4159edc5d061f225f0533457
Instruction Fuzzy Hash: 6941F574E10208DFDB14EFA5E8A4AADBBB6FF88300F14456AD902AB395DF349845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02702B10 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea6540e292b15e44057e35d6959cc30e96885526e5ce2b94fa7a3e895dfd992
Instruction ID: e6c6a31c273ab75d9471666316f1ad960e930ba73f0d1411f3f9c87c9ea5c061
Opcode Fuzzy Hash: 7ea6540e292b15e44057e35d6959cc30e96885526e5ce2b94fa7a3e895dfd992
Instruction Fuzzy Hash: D6313935701605CFD709EB39D4A056E33B3EBC9A1076581A9D1168F3A6DE3ADC438B84

Uniqueness

Uniqueness Score: -1.00%

Function 0270BEC0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33374fb39aeb26d7de8c28b1a37f3a6da5ab521527cff315dbd952c43d29ff19
Instruction ID: a830bcb3dd02a66dff680765f192463e961207a5e632b096335563807778403e
Opcode Fuzzy Hash: 33374fb39aeb26d7de8c28b1a37f3a6da5ab521527cff315dbd952c43d29ff19
Instruction Fuzzy Hash: E1313C347005049FC744EF6DD498A6EBBE6FF89710B2580A9E506DB3B6CE71DD018B90

Uniqueness

Uniqueness Score: -1.00%

Function 02702843 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8731c965126d81a478c1ffe9cb1a8fefb23073a6771fe22610df3f54c57f92
Instruction ID: 500a8dc18a570c5442bde43bd98e9e0980bfae436584d0155d6fb93c0fc52226
Opcode Fuzzy Hash: bb8731c965126d81a478c1ffe9cb1a8fefb23073a6771fe22610df3f54c57f92
Instruction Fuzzy Hash: 98316CB5E10209DFEB04EFA5E8A46EDBBB6FF88310F144569D901AB394DF345949CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02705308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9386c569fdffb216f1e177f6bc0c17cda9b38afb80e66d17592678bef3690e
Instruction ID: d4e2056bcab4b34dfc3373828e55daffba1d66d775fbb4306fda085f9314a3d0
Opcode Fuzzy Hash: 3c9386c569fdffb216f1e177f6bc0c17cda9b38afb80e66d17592678bef3690e
Instruction Fuzzy Hash: 2A410935A00614DFDB05EFA5E498AADB7F3FF88315B608069E806AB3A4DB349D45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02702C48 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b450befdcc6e5926537700de52aa19cc91b4b637785de062a64be3981756bf46
Instruction ID: cd09686edbcb897ceff0ceca1bfff2ed23b584bbe5037368ff0e4718d078fa9b
Opcode Fuzzy Hash: b450befdcc6e5926537700de52aa19cc91b4b637785de062a64be3981756bf46
Instruction Fuzzy Hash: 0A412A74A0020ADFDB04EF74D4946EEBBB6FB48310F1041AAE501AB354DB75AD45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02703750 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069b6e407d859e664c990951a5508d2bb8a85b77df5e7a8b6be1aa47230c9aa7
Instruction ID: a8f05ab6193f83d50dd899923001f11986cb45a56e7361630059868b1f700e06
Opcode Fuzzy Hash: 069b6e407d859e664c990951a5508d2bb8a85b77df5e7a8b6be1aa47230c9aa7
Instruction Fuzzy Hash: 5B214F31B041509FE71DAB7A741027E27E7DBC9120728466EE90AD73D1DE299D0783AA

Uniqueness

Uniqueness Score: -1.00%

Function 0270B0A0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d77e0dba38e0c5fe01b3db4c74063f846dfc2f26b8041418bb3b5cda448b7cf
Instruction ID: 6e547efe477a0d43e184a3294a16b13ee96f3dc59ac4b66753d13069be9f016f
Opcode Fuzzy Hash: 6d77e0dba38e0c5fe01b3db4c74063f846dfc2f26b8041418bb3b5cda448b7cf
Instruction Fuzzy Hash: AA31D430600205DBD700EB79E8956ADBBE2FF84314F44956DD115AB3A5DF71AE098B90

Uniqueness

Uniqueness Score: -1.00%

Function 02702C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec718989bd8410ee33c81edcbedacd35adb8b116f7a0c39f7d820a695842f037
Instruction ID: 9552daef2180eeadbbd86fe7994309e0cb5eb23d5ec0d6ac83ca48a49617ab11
Opcode Fuzzy Hash: ec718989bd8410ee33c81edcbedacd35adb8b116f7a0c39f7d820a695842f037
Instruction Fuzzy Hash: 20310974A0060ADFDB14EFB4D494AEEBBB6FB48310F1041A9E902AB354DB75AD45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0270288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c064b661ca0c36b5783be638844f3827cc2ebee66326cd0ad3d345e26b7dd44
Instruction ID: 83d6df5c110f767cfd46bfafdfa2f1d5e0ec919abaa3b0534168922858dc8e31
Opcode Fuzzy Hash: 3c064b661ca0c36b5783be638844f3827cc2ebee66326cd0ad3d345e26b7dd44
Instruction Fuzzy Hash: 51311875E10208DFEB14DFA5E8A86ACBBB6FF88354F14416AD902AB394DF345845CB14

Uniqueness

Uniqueness Score: -1.00%

Function 02704B70 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21db10a5bc1b2cc9f4c60cd4e838a2f7a2d4ef1549c76c8132e711927d2101d6
Instruction ID: aa552ad4dc05e41d538aa66fd6d27cc6b3b8cfcd4e809dd14f0550a9cb6f10d2
Opcode Fuzzy Hash: 21db10a5bc1b2cc9f4c60cd4e838a2f7a2d4ef1549c76c8132e711927d2101d6
Instruction Fuzzy Hash: 4F21C8312007039FE705EB38E8A165E7BA7EF84310B088A6DE5059B255DF71BE468BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02704B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b6a0331f8528caf45f2022595a2ffc6b7657452617fb70d6b72f68b725e64b
Instruction ID: 834173e066b96b052f0c7479e63af47dc0be2bfab905f784ba8e1907648f0272
Opcode Fuzzy Hash: f5b6a0331f8528caf45f2022595a2ffc6b7657452617fb70d6b72f68b725e64b
Instruction Fuzzy Hash: 0A21C6302007039BE705EF39F860A5E7BA7EBC4310B088A6CE5058B255DF71BE454BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02704237 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09382e425e1c0f619618d7841b5c0308b0be67c9de213174b4fda0185d3e2ad6
Instruction ID: 55437fe82ad644511dfe6dc3079dbc1edcd22082f31c758e598834bbdf6922db
Opcode Fuzzy Hash: 09382e425e1c0f619618d7841b5c0308b0be67c9de213174b4fda0185d3e2ad6
Instruction Fuzzy Hash: 0D118E627082409FE30A9B7D68352AE3FA3DFC6620759419ED481CB782CD299D4B87E5

Uniqueness

Uniqueness Score: -1.00%

Function 02706888 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc0c5bfe945d49a25e3b31a3163dce20a3e98f4a1f799a782414e2aea9b3122
Instruction ID: 0ed7965256fd4d2f5ad81b1eff4688535ea16f41ab98964ca8c76fd76550f932
Opcode Fuzzy Hash: 8fc0c5bfe945d49a25e3b31a3163dce20a3e98f4a1f799a782414e2aea9b3122
Instruction Fuzzy Hash: D4210670D00205CFDB04DFA5C9A8BEEBBFAAF44304F118069C005B7691DB769A18DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02702908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4258d1bc3deeaab62e11ddb72b41cc7b05d1780869fe1dc14ba4fe813155268c
Instruction ID: 3a80aa26f4ce3cc5fc6cb58ef5b3cf5161deddbea08074f96fe47cdbaa808f89
Opcode Fuzzy Hash: 4258d1bc3deeaab62e11ddb72b41cc7b05d1780869fe1dc14ba4fe813155268c
Instruction Fuzzy Hash: AE21F875E10209DFEF14DFA9E894AADBBB2FB88340F04816AD9117B354DB305805CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02705C59 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388ef342c4c69f4d02275efb78b48341f40884a50dae76bf0c5663ee26aab7d7
Instruction ID: 414911cf45cfedf28a24461e1da0f34c857cd9d072f84f7608d6ae50e0a19533
Opcode Fuzzy Hash: 388ef342c4c69f4d02275efb78b48341f40884a50dae76bf0c5663ee26aab7d7
Instruction Fuzzy Hash: 6E215834A00219CFDB10CBAAC5A8BDDBBF1BB48314F640159D001BB2A0CB759D49CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02705C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba5ac5042665a50d3155133e633b8646f381ea6340c7063ea6d9fe8f8ebf743
Instruction ID: 339618d881c9d6b30a434acba362d3f3e5cf7f98be81792cdebd0aef68c82416
Opcode Fuzzy Hash: cba5ac5042665a50d3155133e633b8646f381ea6340c7063ea6d9fe8f8ebf743
Instruction Fuzzy Hash: 0D213835A00219CFDB10CBAAC598BDDBBF1BF48314F600195D505BB2A0CB759D44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0270296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409ff35b41147670f7a73a8ab47c3a2aca8df4d4348ad4d0aff89b350dc59001
Instruction ID: 9193d03be0edd71ee588ce8e19dcae52325f55eb2f5ff6a62b11c7be36f8389f
Opcode Fuzzy Hash: 409ff35b41147670f7a73a8ab47c3a2aca8df4d4348ad4d0aff89b350dc59001
Instruction Fuzzy Hash: 3D21B478A00208DFDF14DFA8E894A9CBBB2FF88304F14416AE905AB365DB30AD45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 027041A2 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d752515957466f82ca7cd80f8023fba363491776d366f5d40e4d1dcb68368e2
Instruction ID: d57a1feea8e909b7aab4d18804538c7cdade4eca3e15275c7d8a81a97b86c23a
Opcode Fuzzy Hash: 9d752515957466f82ca7cd80f8023fba363491776d366f5d40e4d1dcb68368e2
Instruction Fuzzy Hash: 2201282130D3806FE7066B7968711AE3FAADF8A524759409BE405E7382CD225D068375

Uniqueness

Uniqueness Score: -1.00%

Function 027032E0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d5ae25463e253d3d29ed0d28a3cc51084eecef67116b3e2e6febacbb94ef90
Instruction ID: 285f24d8380a85b63349e892844b91ded14bbefbd16933e4eeed84f698190468
Opcode Fuzzy Hash: 65d5ae25463e253d3d29ed0d28a3cc51084eecef67116b3e2e6febacbb94ef90
Instruction Fuzzy Hash: C6112A35A10344CBDB45FBB8E4AC79D7BB6EB88301F004469D902A7381DF7D5C199B51

Uniqueness

Uniqueness Score: -1.00%

Function 02705940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6651337c475369d2a5aa80ab5e000e651f4617b7736ad1c95049f3a356252d49
Instruction ID: acf3d21f95c0c7853c1dc12d523a95e2f8118e2d3120602b031d32bcf6ca8ed1
Opcode Fuzzy Hash: 6651337c475369d2a5aa80ab5e000e651f4617b7736ad1c95049f3a356252d49
Instruction Fuzzy Hash: 370181763002109F9704AE6DF49485EBBABEBC9665310857AEA06C7350CE71DC4587B0

Uniqueness

Uniqueness Score: -1.00%

Function 02702A80 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b68126859cb03db25bc5c361bd894da54c6e6336853312c134db94cfb1170f
Instruction ID: d5dae99c0421838da92b291eac2788a236fed0eca73042354196742c62e693c6
Opcode Fuzzy Hash: a8b68126859cb03db25bc5c361bd894da54c6e6336853312c134db94cfb1170f
Instruction Fuzzy Hash: 0201BCB57006008FD301AF38E45549BBBE1EF4622431189AAE146CB362EF31EC058FE1

Uniqueness

Uniqueness Score: -1.00%

Function 02706388 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2873392b9426eb86b658ae91c8ac018f3e021f9c92859a2065a849fc2115b23
Instruction ID: 9d263e86a002cef157d1b3f19b28ac682c388b91dfdb78f931cd5979bdba4439
Opcode Fuzzy Hash: d2873392b9426eb86b658ae91c8ac018f3e021f9c92859a2065a849fc2115b23
Instruction Fuzzy Hash: 6101F970901209EFDB00EFB8A8A559DBBF2EF55300B1081A9D504A7361DE31AF55C765

Uniqueness

Uniqueness Score: -1.00%

Function 02705931 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d27070378d423d9f68d11b767bacb58740fd8e9d07a9b02cd2c7402c16d1f18
Instruction ID: 216e763362d4055db6ab0c159bac845fdeedcc9dd1db06e6be973421f11fa7a3
Opcode Fuzzy Hash: 4d27070378d423d9f68d11b767bacb58740fd8e9d07a9b02cd2c7402c16d1f18
Instruction Fuzzy Hash: A2F0C2723013109FC301AF69E8A485ABBBAEF8A26431481BBE505C7361DE71DC4587B0

Uniqueness

Uniqueness Score: -1.00%

Function 027032F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b92fc419a1866a4f0e24b57e2d132cb378d90ced997116b5208bc44dd36a07
Instruction ID: 1faba44512299fd0ee9c40b6c94d2d7b7e87a844a132e91eb862b0b868f6243c
Opcode Fuzzy Hash: 57b92fc419a1866a4f0e24b57e2d132cb378d90ced997116b5208bc44dd36a07
Instruction Fuzzy Hash: 71014C34A10304CBCB44EBB8E4AC79E7BFAEB88301F004469D90297380EF795C14DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02701FF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b022b95c1c07cb5215b32959de4d8d6c4cee7d738d938fbecbb229979c6b143f
Instruction ID: 723d466de4977c5a4b14d8814edb5790642ae6e1177e64521c9996791f0f5418
Opcode Fuzzy Hash: b022b95c1c07cb5215b32959de4d8d6c4cee7d738d938fbecbb229979c6b143f
Instruction Fuzzy Hash: 2DE0DF757053408FCB106B79E47949A3FAADFC621130600EAE006CB322CD39CC079391

Uniqueness

Uniqueness Score: -1.00%

Function 02706398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382b7e72f6d4f508dfc642668c414267ffe1b0828f362f3ac7f65617bb5a4654
Instruction ID: bf9d75c7371bb081cf765562fa85dc41fb10a44eb24db585d49a0c6a2cb25727
Opcode Fuzzy Hash: 382b7e72f6d4f508dfc642668c414267ffe1b0828f362f3ac7f65617bb5a4654
Instruction Fuzzy Hash: 6FF01274A00209EF9B40EFB8F55159D7BF6EF48200F1081A9E909A7350DE316F45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02702DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f54ce6058d1ffa094a83d90b8d2eaa7b5ac77e4b1facacc5d363f763c05934
Instruction ID: 9cb35c832e3630677d0ee4aa3834ae39cad95f82ef2360420eed9a31334ef56f
Opcode Fuzzy Hash: 74f54ce6058d1ffa094a83d90b8d2eaa7b5ac77e4b1facacc5d363f763c05934
Instruction Fuzzy Hash: 60E06D71E10118CF8B84EFBCD5056DE7BF4EF48310B1040AAE509E3311EB309E108B91

Uniqueness

Uniqueness Score: -1.00%

Function 0270374E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ed6ccfa4882c0b8dd6b7bffaa2ab6f1200b2cb402a75453c6f7efbaf12e067
Instruction ID: e4d8011d35cbec4453ddeea9fce8a5301857e0a96728a7beb6cb6842ea610717
Opcode Fuzzy Hash: f4ed6ccfa4882c0b8dd6b7bffaa2ab6f1200b2cb402a75453c6f7efbaf12e067
Instruction Fuzzy Hash: F6E0C2367002159B8328972BA88467E32EB9BC8575318447AEE0DD3354EF209C0A52D1

Uniqueness

Uniqueness Score: -1.00%

Function 027066C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3afc22d89798d3c5e154e050a69cde224313a309062c852822c347053ec8cf
Instruction ID: 734c9221bbd39c6621de443e987c5814c0e2b974e9c03458b379127ef30b1a1b
Opcode Fuzzy Hash: 8f3afc22d89798d3c5e154e050a69cde224313a309062c852822c347053ec8cf
Instruction Fuzzy Hash: 6FD0A7227082A01B97013B5C78100A81FEADACA52130A02F7F605E7357CD155F0A53E5

Uniqueness

Uniqueness Score: -1.00%

Function 02706469 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0b72248844e1959e37b24abdd063bcf126aad501804effd03518098bcf30ae
Instruction ID: 04c24ab555f1e105d2fc59baa37e86bfb0b4cb543842eb81c7f17a17737421b9
Opcode Fuzzy Hash: 3a0b72248844e1959e37b24abdd063bcf126aad501804effd03518098bcf30ae
Instruction Fuzzy Hash: F6D05E757482004FD304AB68D09092437B6EB8D324B0601AAF60DCB376CD25ED428719

Uniqueness

Uniqueness Score: -1.00%

Function 02705631 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28c1de44b97a59862cd3bc56dac193d824d93805e6c81291879045d2b9d50f0e
Instruction ID: 3bc490923565bb990a48aa8622f30f1c094b7f4594a0b2cdfe9d123d4d9073ce
Opcode Fuzzy Hash: 28c1de44b97a59862cd3bc56dac193d824d93805e6c81291879045d2b9d50f0e
Instruction Fuzzy Hash: E0D022A1944308AFE34201186CAE0C03B3EEAA262871402A5E80542203BD2FDC1F0A80

Uniqueness

Uniqueness Score: -1.00%

Function 02706478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2591385375.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2700000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e37ab187769fe21d1e265fa1819f44f2b1a4ed7f4eab250ccbed80e16e2140
Instruction ID: 719a14f6875b7cbd854c31846b14fe02412dfc73c3a7a25c8cdab1ab3c872e45
Opcode Fuzzy Hash: 16e37ab187769fe21d1e265fa1819f44f2b1a4ed7f4eab250ccbed80e16e2140
Instruction Fuzzy Hash: 91C012343402048F8608EB6CE09082933FAEB8C71531000A9FA0ECB339CE21FC828A18

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 4324, Parent PID: 500COMMON

Executed Functions

Function 021F3860 Relevance: .6, Instructions: 620COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47980e484805ea6ba3c72c0909a17fc5cc4cf2c65074b885efa746ee4529af8
Instruction ID: d44f761ddc9a77ac50b44897bb0f8ecc6f4ece2242942bd5d995487522b076d1
Opcode Fuzzy Hash: d47980e484805ea6ba3c72c0909a17fc5cc4cf2c65074b885efa746ee4529af8
Instruction Fuzzy Hash: 51324E34B00215DFDB05EF68D864AAE7BF7EF88310F148169E916AB3A5DB359C42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 021F4F58 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4365cdb8407e349c6f996482447d1df46794dfd2293bb2b9f30e2007ba17e9ba
Instruction ID: 468afbcbcbe13c9c6ab43a150624167159cc8721d4e1990f8e91a37e4c15b27e
Opcode Fuzzy Hash: 4365cdb8407e349c6f996482447d1df46794dfd2293bb2b9f30e2007ba17e9ba
Instruction Fuzzy Hash: 48329C30B40214DFDB48DFA9D4546AEBBF3EF88310F648169D916AB395DB34AC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 021F1049 Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8514cf89924a768ad5d0c2286369300b20875c15b638576a282a1b49f25d5a6
Instruction ID: 7094a1b0b04c28b8a493428eeab35af4e083c79dabe6c9da03d6b19b29ed9411
Opcode Fuzzy Hash: e8514cf89924a768ad5d0c2286369300b20875c15b638576a282a1b49f25d5a6
Instruction Fuzzy Hash: 1B82B07860020AEBEB06EFB4D564B6E7BF3EB88300F144418E9013B799CB756D51DB66

Uniqueness

Uniqueness Score: -1.00%

Function 021F1058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8427f67d2542a5fe83b39c62f2dce18e458e8985c22cba74f8af64a818aea09
Instruction ID: a63fa3e1bc7f32b153a46813d0cd3f88e80b2a27bf0ccd5f9f3ac7ea6af388aa
Opcode Fuzzy Hash: f8427f67d2542a5fe83b39c62f2dce18e458e8985c22cba74f8af64a818aea09
Instruction Fuzzy Hash: B982B07860020AEBEB06EFB4D564B6E7BF3EB88300F144418E9013B799CB756D51DB66

Uniqueness

Uniqueness Score: -1.00%

Function 021FB0B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667570e0eafae4d8231e7b7c18a84826e2efdefff888b978b39047c2fd894db1
Instruction ID: 661163c52fab2d5c8fe3ce73f58d51bc2897b3c8efe77f501311f2d678b0ae8d
Opcode Fuzzy Hash: 667570e0eafae4d8231e7b7c18a84826e2efdefff888b978b39047c2fd894db1
Instruction Fuzzy Hash: 68524834A01200CFC769EF34E458A6D7BE2FB88309B6489A9D516AF3A5DB35DD41DF80

Uniqueness

Uniqueness Score: -1.00%

Function 021FBB99 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e35ac7cdbeea5cc68fa358b5015461c5216f6c33ca15cbf0922b64f9e1e6e7
Instruction ID: 3a5f284cfa93d7bf77229c12fb28947d3888fd4711aeed5ab8838071f56fde40
Opcode Fuzzy Hash: f7e35ac7cdbeea5cc68fa358b5015461c5216f6c33ca15cbf0922b64f9e1e6e7
Instruction Fuzzy Hash: B5812D78902212CFC7A1EF24E589D5ABBF2FB48344B64C558D2559F32AD730E949EF80

Uniqueness

Uniqueness Score: -1.00%

Function 021F385A Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051611de180e99cb869f726730bab59ea311627bd6c3bf1e18b1b738ca0d5cfe
Instruction ID: 1be18071fbb4d73f0166858fcf26f8bd66fdb7ff5e9821f5dfd38171feeb8a42
Opcode Fuzzy Hash: 051611de180e99cb869f726730bab59ea311627bd6c3bf1e18b1b738ca0d5cfe
Instruction Fuzzy Hash: DA612E34A01219EFDB05DFA4E894AADBBF2FF88310F148169E915A7364DB35DD42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 021F5AA0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a620d5ee2066a3c8a96a6f9be7ef9baf28df3275cdb1f1eac30101aae5e9a3
Instruction ID: 3a7aaac70761193db85a2f5033b8acb9a6c5335a251e11f1a9e0ca11a2d6c639
Opcode Fuzzy Hash: b5a620d5ee2066a3c8a96a6f9be7ef9baf28df3275cdb1f1eac30101aae5e9a3
Instruction Fuzzy Hash: BB514C75B40205DFDB44DFA9D594A6EBBF6EF88314B5140A8E516EB361DB30EC01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 021F5240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82c16be8ebc51c94733da3aa77515f36d020fa8c7ce485b9c15eacfde2eb24b
Instruction ID: 1ef12bd0ceee94aeceec317bba9d1380efc5de7916b83b598d02be3fc9043657
Opcode Fuzzy Hash: e82c16be8ebc51c94733da3aa77515f36d020fa8c7ce485b9c15eacfde2eb24b
Instruction Fuzzy Hash: 59514C31A40219EFCB54DFA8D484AAEB7F3BF88715F548169E916AB364DB309C41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 021FBEAF Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8727a321d6e3a0269e50eddba6f510bffb3ac7e3dce740c237a8262920bea40d
Instruction ID: 1e1355fe1a4c0bc3d65f1c91aa06ddf810fff7e8912b2aa4fbfac85b785caea2
Opcode Fuzzy Hash: 8727a321d6e3a0269e50eddba6f510bffb3ac7e3dce740c237a8262920bea40d
Instruction Fuzzy Hash: 7B414A347406148FC754EF6DC498A6EBBE6BF89710B2580A9E916DB3B2DB71DC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 021F2850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa1f2d937dd9455f005162d2b124a55c663bfc721cb34838b1faff886daebc1
Instruction ID: 98331f31dc01680511c86f03d8822e4f5be7fa99b56c4e04db9430150b4caad0
Opcode Fuzzy Hash: baa1f2d937dd9455f005162d2b124a55c663bfc721cb34838b1faff886daebc1
Instruction Fuzzy Hash: 6241F774E00219CFEB54EFA5E494AADBBB6FF88300F148129D912AB355DB35A846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 021F5A91 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d56f74ac60283b32aaf3f1961d18051f98de7f28dec09e069a98330405af17
Instruction ID: 450e7c1720c581bc0550bdaab568291c2d88f30b13bc9f16cf258e2a8d3e8b17
Opcode Fuzzy Hash: d4d56f74ac60283b32aaf3f1961d18051f98de7f28dec09e069a98330405af17
Instruction Fuzzy Hash: 49317C75B002068FC704DF69D594A6ABBF6EF88314B5580A9E519DB362DB30EC02CB60

Uniqueness

Uniqueness Score: -1.00%

Function 021FBEC0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079efa885dce6c2d01e5dc0896aadd1af2171beb5afe1a46d49b3fc11355c9d3
Instruction ID: 87a2f20c95b61356c797fa3850a81b1e25549fb74084cbe5a1528f596b51cae9
Opcode Fuzzy Hash: 079efa885dce6c2d01e5dc0896aadd1af2171beb5afe1a46d49b3fc11355c9d3
Instruction Fuzzy Hash: F4311C347406148FC744EF6DC498A2EBBE7BF89710B2580A9E516DB3B5DB71DC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 021F2B10 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d54fbde725860282c5867a474ff7b7ee4d047fc95d3484509a9e756ec1514b9a
Instruction ID: 0219d3c6f7f8f8b74f95afb9f25747c1abee5576b3268eef8969c66635a0456b
Opcode Fuzzy Hash: d54fbde725860282c5867a474ff7b7ee4d047fc95d3484509a9e756ec1514b9a
Instruction Fuzzy Hash: 4A311331701215CFD749EB39D490A2E33E3EB89A54B6980A9D1168F3A9DF36DC438B84

Uniqueness

Uniqueness Score: -1.00%

Function 021F2B20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7a75fe01c8d56faf9724c399ee2ee8d77713511129f2ec264b25e3b2028eed
Instruction ID: 4b3f3f6dcc4ded0d8f9b91b24835fcdd2d48ff9f3edba39f04d2ec5342fedf59
Opcode Fuzzy Hash: dd7a75fe01c8d56faf9724c399ee2ee8d77713511129f2ec264b25e3b2028eed
Instruction Fuzzy Hash: 98310231701215CFD749EB39D490A2E33E3EBC9A50B6981A9D1168F3A9DF36DC438B84

Uniqueness

Uniqueness Score: -1.00%

Function 021F2842 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665d29f728a49ecda61f416da598c65e4823e2787cf276d12b0deec3c0b55420
Instruction ID: 939b515693d61e4912ac6a860164c04a1d45056b60fbd8914a58bdf7b2eb05e0
Opcode Fuzzy Hash: 665d29f728a49ecda61f416da598c65e4823e2787cf276d12b0deec3c0b55420
Instruction Fuzzy Hash: EB415070E00209CFEB54EFB5E4946EDBBB6FF88305F148129DA12AB294DB349846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 021F5308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbda9090106d621d33aab11115b1b669f30fb3fb8a0e280aee53cb8cd2cc061
Instruction ID: 2d476a4dbe2a2d1aee07af0574cefdca3078765bb7f8fb3e31c85432bb0b675f
Opcode Fuzzy Hash: 6fbda9090106d621d33aab11115b1b669f30fb3fb8a0e280aee53cb8cd2cc061
Instruction Fuzzy Hash: 7B411835A40214EFCB44EFA4E4949ADBBF3FF88311B608069E916AB364DB349C42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 021F3750 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21dc0468fdd77352866a9a11ee03238ede7cb389f071fc9e272a9798859c984
Instruction ID: eec5c965e97e5a9d00974a7af4f50edc8bc622445f0b39c084e4dd360cfb43e4
Opcode Fuzzy Hash: c21dc0468fdd77352866a9a11ee03238ede7cb389f071fc9e272a9798859c984
Instruction Fuzzy Hash: 31214C31B042548FE71E6B79681013E27E79FC922076886ADDD1ADB3D1DF299C0783A5

Uniqueness

Uniqueness Score: -1.00%

Function 021FB0A0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf793f73beca93dc69201ed2973dd3c27a34227596f711f97d61302dea7f76ac
Instruction ID: bd07cbca66853e8368140bbf5753d7e6a79a650068f55d46bd4b1dc685be7cab
Opcode Fuzzy Hash: cf793f73beca93dc69201ed2973dd3c27a34227596f711f97d61302dea7f76ac
Instruction Fuzzy Hash: 3631E230A00215DFD714EF78E8946ADB7B2EF85344B04856DC126AB291DB759D068B90

Uniqueness

Uniqueness Score: -1.00%

Function 021F2C48 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ccc89dcf8c8f63c224193ab7356ee7aede9a06e23ffefb41e77c5079f89233
Instruction ID: adc2457c9097bd1b757a422f64a47b5c5cf736e75a1ba920e2bc11687ff5edc3
Opcode Fuzzy Hash: f2ccc89dcf8c8f63c224193ab7356ee7aede9a06e23ffefb41e77c5079f89233
Instruction Fuzzy Hash: 88410A7490020ACFDB44EFA8D594AEE7BF2FB48314F104569D511BB364EB31A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 021F4B50 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f459e5926b46ab0755cbf97474e0c99ce83e2978f6ef84db736791e1e20f699
Instruction ID: aab675f7e144bf609249e33c96d75f36be5196779fe56cb776f7fe5622971947
Opcode Fuzzy Hash: 1f459e5926b46ab0755cbf97474e0c99ce83e2978f6ef84db736791e1e20f699
Instruction Fuzzy Hash: FE213B30204342DFE306EB38EC50A5EBBB3EF85350B488AADD5158F265DF70AD098B94

Uniqueness

Uniqueness Score: -1.00%

Function 021F2C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf57dc3fe0526588b57bf4ca0705d47cb8a8e1affd9c0b922ec468f693e50f51
Instruction ID: feae99bf8589eb681a3947d351192a20fc8f1ee7c756f4563e82d1f6164bf596
Opcode Fuzzy Hash: cf57dc3fe0526588b57bf4ca0705d47cb8a8e1affd9c0b922ec468f693e50f51
Instruction Fuzzy Hash: 8031097490020ACFDB54EFA8D494AEEBBF6FB88314F104569D911BB364EB31A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 021F5698 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa57f0aaf52fb027dce256252e7c005bf52d10068a7b4fc0464b6512d4757d3
Instruction ID: ae9c5ea8e544f00bf3ba4babb0ba4468edffcbb2e75775edf4c0d26f1dc89f53
Opcode Fuzzy Hash: 0fa57f0aaf52fb027dce256252e7c005bf52d10068a7b4fc0464b6512d4757d3
Instruction Fuzzy Hash: DD21BB70B002049FC704DF6AD198A6EBBF6AF88700B604069E916E7361CF70EC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 021F288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e4153e40a91a3e5c09d1ea1be6021ff91aba10c5590811c9d7dbe76b5ee2f9
Instruction ID: ec26f7d86bd2fd2ae0eaf21d6160b7b67df8200726968cc5f278407fe4aa6be5
Opcode Fuzzy Hash: 47e4153e40a91a3e5c09d1ea1be6021ff91aba10c5590811c9d7dbe76b5ee2f9
Instruction Fuzzy Hash: 07313A70E00219CFEB54EFB5E4946ADBBB6FF88344F148129DA12AB294DB349845CF20

Uniqueness

Uniqueness Score: -1.00%

Function 021F4B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969db3b9fcdd0bec62c1b0f9a57b8014fd767c5975e200ed902b057b415e5e53
Instruction ID: 67aa1def6abb4d80c6ca7124030fe2b17ea772ac974501630b16d0ffe5811c67
Opcode Fuzzy Hash: 969db3b9fcdd0bec62c1b0f9a57b8014fd767c5975e200ed902b057b415e5e53
Instruction Fuzzy Hash: C521AE30200307DFE709EB39E8A0A6EB7A7EF84350B488A6CD5158B254DF71BD498B90

Uniqueness

Uniqueness Score: -1.00%

Function 021F2908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb349fc9641f37f7d0d97356b892dee722618c4902835dcb7233913269f4de1
Instruction ID: 0f0fdb69d107c11fce29a67ee4d9a29fa5a47ba34429bdd172a980ebd35c1ccd
Opcode Fuzzy Hash: dbb349fc9641f37f7d0d97356b892dee722618c4902835dcb7233913269f4de1
Instruction Fuzzy Hash: 8D21FA74E00219DFEB54DFA5E890AADBBB6FF88340F148129DA21BB354DB309805CF61

Uniqueness

Uniqueness Score: -1.00%

Function 021F6888 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a8895714fb4b300e952be5e9c8c62e8dd1624ed9b59a6bc97184910200061e
Instruction ID: 9ad0c3e50fdf8f94a27d8f6c6f3e8f94b3befed95488591713f1bc264ec63005
Opcode Fuzzy Hash: 10a8895714fb4b300e952be5e9c8c62e8dd1624ed9b59a6bc97184910200061e
Instruction Fuzzy Hash: 84218C31940245CFDB94DFA5CA49BEEBBFAFF44304F10806AD931A7251DB768A05DB50

Uniqueness

Uniqueness Score: -1.00%

Function 021F5C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697c6e939abc35d4cda64d43f57bb7967f8957680abf9e9cc3e9a5d180befa6f
Instruction ID: 77f29cb6921da2538169fe014d87912ba14f26867304dff6435a3145a7a80815
Opcode Fuzzy Hash: 697c6e939abc35d4cda64d43f57bb7967f8957680abf9e9cc3e9a5d180befa6f
Instruction Fuzzy Hash: 73216A35A00218DFDB50CBA9C598BDDBBF2AF4C314F6000A5D605BB360CB75AD84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 021F296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905993e27a57a1f5f9be4cd71858f0966ad910b9653b6ef79c08ff0524bb232c
Instruction ID: 0171064ee18131692c636e964596546e180780944707d3a8fcb99ccd18e2ad8d
Opcode Fuzzy Hash: 905993e27a57a1f5f9be4cd71858f0966ad910b9653b6ef79c08ff0524bb232c
Instruction Fuzzy Hash: 3821C474A01219DFEB54EFA4E890AADBBF2FF88301F144129D915AB364DB30AD45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 021F5C5B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8e245dccf3a755ff3f5d1468114d04390d9836539e61cce1d45d70112578b1
Instruction ID: 935e92b7b82c889ef03004238393c31f154cf20934e8ec6b977ef77d813f8829
Opcode Fuzzy Hash: ff8e245dccf3a755ff3f5d1468114d04390d9836539e61cce1d45d70112578b1
Instruction Fuzzy Hash: 82219735A00259CFDB00CBA9C5A8BDDBBF2AF4C314F640099D202BB3A0CB759D85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 021F4248 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8199d19b5653e8df6f3b32737ce551a4ceeda5b27e7d90f3a60daeac82efde2
Instruction ID: 49bfcb727f41d2d845512ef71ce1bab6d486659fa133d0c73ad6e14329747dd8
Opcode Fuzzy Hash: d8199d19b5653e8df6f3b32737ce551a4ceeda5b27e7d90f3a60daeac82efde2
Instruction Fuzzy Hash: 6D019C327082408FE30A9779642426E3B93DFC2760348419EC942CF381DF25AC06C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 021F41A2 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deae2469ce1a988087b1c6e292e57bc4bbfc67da5f69db3d3bd8ff3c898bb787
Instruction ID: 8a19d74f5eb0efe40a8f84b413442822c5142d96bfe66270b3c6e2c7b1db61d9
Opcode Fuzzy Hash: deae2469ce1a988087b1c6e292e57bc4bbfc67da5f69db3d3bd8ff3c898bb787
Instruction Fuzzy Hash: 49014C3170C3509FE30AAB75A87015E7FB7EF8636075540DBD815DB282CE215C06C766

Uniqueness

Uniqueness Score: -1.00%

Function 021F32E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38c3c136993acb71f1721306c5033b0d6dd0403da565e4e222e6130807326cf
Instruction ID: 7259b356663517ca809e15f51355555e5f958fd69ce3744968a9f8d7e1b27a39
Opcode Fuzzy Hash: f38c3c136993acb71f1721306c5033b0d6dd0403da565e4e222e6130807326cf
Instruction Fuzzy Hash: 4D113935A102848FDB48EFB8E99879E7BB2EB98301F404529D912AB291DB395847CF50

Uniqueness

Uniqueness Score: -1.00%

Function 021F5940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e015b8caee4942f474d8a8b34bf8d54ee68f596278cb6e63b194480e66e7372f
Instruction ID: e1a6ef36456201fe744dc6134866c1d30a9a2a700c2f8613d622ea47ad283d9c
Opcode Fuzzy Hash: e015b8caee4942f474d8a8b34bf8d54ee68f596278cb6e63b194480e66e7372f
Instruction Fuzzy Hash: D201A4773002208F8704AAA9F49486EB7E7EBD97B5350857EEA06D7350CF31DC0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 021F32F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c36375b7c2bb425246ec7564b8caaa5b8e9a50e97dea928cfafe69f7801f5c3
Instruction ID: be3a51b8d8510b831d7a6af975b17d852015349b17e4d98db52cad0d99041129
Opcode Fuzzy Hash: 6c36375b7c2bb425246ec7564b8caaa5b8e9a50e97dea928cfafe69f7801f5c3
Instruction Fuzzy Hash: 9B012574A002448FDB48EFB8E958BAE7BF6EB98311F404529D912A7291DF395C87CF50

Uniqueness

Uniqueness Score: -1.00%

Function 021F2A80 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b68c16531e5c312336a170eaf444b8ceff112348469866dd0e29fdd3e03588
Instruction ID: 2672a2cd4d8bd6b0908e42c6f5f778642af7f10d78cbd1db0299fea9ea4b030b
Opcode Fuzzy Hash: f1b68c16531e5c312336a170eaf444b8ceff112348469866dd0e29fdd3e03588
Instruction Fuzzy Hash: 50015675700600CFD312AF78C55495ABBE2EF8531471489AAD666DF720DB71E8008F80

Uniqueness

Uniqueness Score: -1.00%

Function 021F2A90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3863db969786e6ec410c2fcd2f0a1e1f93ac5cc15289ab6eb585da7e77065764
Instruction ID: 42996ad52dd146656fd746c39db3de5949ce2b2468ee7d184063f9f546ae5444
Opcode Fuzzy Hash: 3863db969786e6ec410c2fcd2f0a1e1f93ac5cc15289ab6eb585da7e77065764
Instruction Fuzzy Hash: 4CF042717007148FD311AB78C44485BBBE2EF8666431089AAD66ADB320EFB1EC048FC0

Uniqueness

Uniqueness Score: -1.00%

Function 021F4237 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9940aec3d13ae2a1231b7bc33dfca1d7119747d73208f93469b34e031738934e
Instruction ID: caeed7b9df3aae927f0920271a9802454802aa806b74718a180a2f9a453b5a1b
Opcode Fuzzy Hash: 9940aec3d13ae2a1231b7bc33dfca1d7119747d73208f93469b34e031738934e
Instruction Fuzzy Hash: 98F0A7353041019BD315DB29E49076E7753EFC1750B48052DD9054B741CF35AD429BC4

Uniqueness

Uniqueness Score: -1.00%

Function 021F6388 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bee2fdf3702029e286020f801017375ab18c1df35fa528d7567eae7b930ec6a
Instruction ID: ea86db4ffa3b0ee72d0d8b4c09ada5b6930d6205073244dc859539e3ccd8b6b1
Opcode Fuzzy Hash: 5bee2fdf3702029e286020f801017375ab18c1df35fa528d7567eae7b930ec6a
Instruction Fuzzy Hash: 05F06D74E01349EFDB40EFB4E94559DBBB2EF95300B2081DAD514AB291EA306E46DF41

Uniqueness

Uniqueness Score: -1.00%

Function 021F41E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d5747d2aac5f5f0682eb125e1e612c564557788ebd74c0e803e6720bf05272
Instruction ID: a41e7614b637574e1f75950dd68687e44f8b3b7e880227e36f6437bc7ee8b8f5
Opcode Fuzzy Hash: 13d5747d2aac5f5f0682eb125e1e612c564557788ebd74c0e803e6720bf05272
Instruction Fuzzy Hash: 72E0AB31700318AFA30CA2A6BC5086FB69FEFC83A0344046DE428D3380CF226C014BA4

Uniqueness

Uniqueness Score: -1.00%

Function 021F593E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49850b795be70190d66d6a16c7f3f382e368f8b8ed16c572539d61cf347641a1
Instruction ID: c075b2fa48b68c54386a414636035d88dba6c4a78d9ba301c60e12406b977290
Opcode Fuzzy Hash: 49850b795be70190d66d6a16c7f3f382e368f8b8ed16c572539d61cf347641a1
Instruction Fuzzy Hash: 2DF05E76300210CF8304AF69E49486ABBB7EBD9365355816AEA05CB310CB30DC02CB60

Uniqueness

Uniqueness Score: -1.00%

Function 021F6398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff736f113a7e61c23059300db15fbb321500deb83f03128f6bfefc6cf18582d5
Instruction ID: 625abc25862a8381cf458706d3b461abbe9bfb124ec66ab54e3f233864d10ee3
Opcode Fuzzy Hash: ff736f113a7e61c23059300db15fbb321500deb83f03128f6bfefc6cf18582d5
Instruction Fuzzy Hash: F6F08230E0030DEF9B40EFB8E54159DBBF2EF84300F1081E89914A7380DA706E018B40

Uniqueness

Uniqueness Score: -1.00%

Function 021F2D92 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e4a0c42c191e08106b04fe9ca486e354c926b659d49cde04c5572d63d69365
Instruction ID: b00c1f006727a866a9106eda614c094c4dff63f8d12dcc9ce9edfcf6880cf8c4
Opcode Fuzzy Hash: f5e4a0c42c191e08106b04fe9ca486e354c926b659d49cde04c5572d63d69365
Instruction Fuzzy Hash: 5EF0F871A24118CF9784EFBCD5446DD7BF1EF48314B2180A9D529E7211DB709912CF81

Uniqueness

Uniqueness Score: -1.00%

Function 021F2DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0522473c1239c615ff34cc4593e65e39645e53d046b56f95622659b3416789
Instruction ID: 738d061f4a4f98171f43fb76825ac071e275511bab882b8c0964671d4502c9ab
Opcode Fuzzy Hash: 4c0522473c1239c615ff34cc4593e65e39645e53d046b56f95622659b3416789
Instruction Fuzzy Hash: ADE0C971E10118CF8B84EFBC95056DE7BF5EB48310B1141AAD629E7351EB7099118B91

Uniqueness

Uniqueness Score: -1.00%

Function 021F1FF8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98241fdfced19bf007d14b456a44e8aac52f745a3bc3fa9569cafdee442115c3
Instruction ID: d58e5a2bc10a968d169050c7c681746549feb72e7050fa349f3ce7c3e46f87a3
Opcode Fuzzy Hash: 98241fdfced19bf007d14b456a44e8aac52f745a3bc3fa9569cafdee442115c3
Instruction Fuzzy Hash: 3BE09A753001008FCB10AB7DE46898A3BE9EF9931670400AAE109CB322CA39CC12C754

Uniqueness

Uniqueness Score: -1.00%

Function 021F374E Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba519ba5f57bb916704bf4928b6842e10e94ef146f2f9350b17853f32bb6649e
Instruction ID: 2ef4a7840dd60eb866cc6dbf78f73487c15cddb516975156ab4532a3baed04c6
Opcode Fuzzy Hash: ba519ba5f57bb916704bf4928b6842e10e94ef146f2f9350b17853f32bb6649e
Instruction Fuzzy Hash: FBE0C23AB401508B83285625620407F2BF79BCC67631C4466DF19C7318EF7088069391

Uniqueness

Uniqueness Score: -1.00%

Function 021F2008 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66ffd320fa44b487ebc99864660c2abb2c16c7b4e4bff1b41fc625f5f1bf9ba
Instruction ID: 087e76ee35bf57333b8702c9417e05e35702496ba13e877d0b11b62b7627e5f0
Opcode Fuzzy Hash: c66ffd320fa44b487ebc99864660c2abb2c16c7b4e4bff1b41fc625f5f1bf9ba
Instruction Fuzzy Hash: 5DD017357002148FCB146ABEE41885A77EEEFD972230504BAE50AC7321DE79DC4287A0

Uniqueness

Uniqueness Score: -1.00%

Function 021F66C8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02dcb20eeac53c13d2ab91a080310af7e593018752ca343b8b8e1b9fc34597b5
Instruction ID: e53d7691f19c0b752e49c1b21aeb3b460bb0c30e2a6ab34ab6a6a59216462baf
Opcode Fuzzy Hash: 02dcb20eeac53c13d2ab91a080310af7e593018752ca343b8b8e1b9fc34597b5
Instruction Fuzzy Hash: B8D0A795F053A14FD341272C71250DC6B91CE8564130984EBE550DB363CD250C435B42

Uniqueness

Uniqueness Score: -1.00%

Function 021F6469 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf59bdfb013c220c41d4f8bd1cd536a30e4a8b28dfd60366890953c7643c9d86
Instruction ID: bb040d047b573045bfee10e64d3ef5fa8036f014c1ebb7fbc0395200433781c3
Opcode Fuzzy Hash: cf59bdfb013c220c41d4f8bd1cd536a30e4a8b28dfd60366890953c7643c9d86
Instruction Fuzzy Hash: 6AD017792062408FD304DB24E19592537A2EF8831030080EAE118CB3B9DE25D8838B09

Uniqueness

Uniqueness Score: -1.00%

Function 021F6478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f66e28b649b6d0a69d3a6065783dff75e6920f0e820d50bf17483af086379c95
Instruction ID: 387fd6564f0eb09ed46a25ff4bec51a498dd4ab394c2397150b237beac6460a2
Opcode Fuzzy Hash: f66e28b649b6d0a69d3a6065783dff75e6920f0e820d50bf17483af086379c95
Instruction Fuzzy Hash: E9C012343402048F8608EB6CE09482937EAAB8C71431040ACE609CB3B9CE21FC828A18

Uniqueness

Uniqueness Score: -1.00%

Function 021F5640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2598083518.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_21f0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1632a8bf898d9e3854ebb2d2b58542653524c20e16eb549326ce26a279e2fc58
Instruction ID: bc382a4d0fa1a088b80443d8e4d40809142e594b9dd236aa95542f676a4809db
Opcode Fuzzy Hash: 1632a8bf898d9e3854ebb2d2b58542653524c20e16eb549326ce26a279e2fc58
Instruction Fuzzy Hash: F1B02B3454030D6796000915AC0C411371EEBA012D7404194AD0800100AF23C85200C0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 4548, Parent PID: 5204COMMON

Execution Graph

Execution Coverage:	13.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	31
Total number of Limit Nodes:	0

Executed Functions

Function 0093D630 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0093D5FE,?,?,?,?,?), ref: 0093D6BF

Memory Dump Source

Source File: 0000000D.00000002.2995863303.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_930000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 25d7ed6f3af3a36d23ba45d167db849b61f39b1f0ca15c16f41026cf88aee543
Instruction ID: 09ac497f742a2209b307d7f9267d85c4901678f01a3fe036954944dc99b1aa50
Opcode Fuzzy Hash: 25d7ed6f3af3a36d23ba45d167db849b61f39b1f0ca15c16f41026cf88aee543
Instruction Fuzzy Hash: 3421E3B5D012099FDB10CFAAD484ADEBBF4FB48314F24841AE918A7350D379A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0093D130 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0093D5FE,?,?,?,?,?), ref: 0093D6BF

Memory Dump Source

Source File: 0000000D.00000002.2995863303.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_930000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7411f350bc7583d94fff05771e5cb9e25f11441c26a794b0f9cab2f174515b80
Instruction ID: b01eacb934306418070e695d59157e0c3bdb582ff33a232f2573364dd8a2edbd
Opcode Fuzzy Hash: 7411f350bc7583d94fff05771e5cb9e25f11441c26a794b0f9cab2f174515b80
Instruction Fuzzy Hash: 4E21E6B5901308DFDB10DF99D484ADEBBF8FB48314F14841AE918A7350D379A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0093E020 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0093E090

Memory Dump Source

Source File: 0000000D.00000002.2995863303.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_930000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: bd419baa2e6b8060b84fb3c1a59f05faa4dac7bccc912c3759c5907ad03037c2
Instruction ID: 12bd9303019df3345c219a6f6bb4a270a90fce3a06a1df51e21be7cc4a9d6a57
Opcode Fuzzy Hash: bd419baa2e6b8060b84fb3c1a59f05faa4dac7bccc912c3759c5907ad03037c2
Instruction Fuzzy Hash: AB1146718003099FDB20DF9AD884BDEFBF4FB48320F208429E558A7250D379AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0093D1E4 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0093E090

Memory Dump Source

Source File: 0000000D.00000002.2995863303.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_930000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 20c371d82794b38ccaa64ea6f2a316edd17e486b33240a39f50b13308182d428
Instruction ID: 44953ff7a921a19abc9da3e4eb257dc1d81f409936d8046d75ee5eb724edc3c0
Opcode Fuzzy Hash: 20c371d82794b38ccaa64ea6f2a316edd17e486b33240a39f50b13308182d428
Instruction Fuzzy Hash: 521149758047499FDB20DF9AD844BDEBFF4FB48310F108429E558A7250D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 1016, Parent PID: 5204COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	14
Total number of Limit Nodes:	0

Executed Functions

Function 014DD130 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014DD5FE,?,?,?,?,?), ref: 014DD6BF

Memory Dump Source

Source File: 0000000F.00000002.3010660107.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_14d0000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0600776bf0d85ed06d58f130fe5c32bb42c47d5c842b266bb7d9297329389a0f
Instruction ID: 280c0643a36556c4dee5985685070aabc186232e6d71914701827dd873a250e0
Opcode Fuzzy Hash: 0600776bf0d85ed06d58f130fe5c32bb42c47d5c842b266bb7d9297329389a0f
Instruction Fuzzy Hash: 7221E6B5D00209DFDB10CF99D484ADEBFF4EB48320F14841AE919A7350D374A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 014DD630 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014DD5FE,?,?,?,?,?), ref: 014DD6BF

Memory Dump Source

Source File: 0000000F.00000002.3010660107.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_14d0000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f42f2b11139a9ebf85bb9137e306f914c5c4f47ad44d2555982ca7813e02c379
Instruction ID: 9f9dd7bec889ff5a2b1ac47ce85cf8404b8c5cf3c91362a9d60250b9798bae2a
Opcode Fuzzy Hash: f42f2b11139a9ebf85bb9137e306f914c5c4f47ad44d2555982ca7813e02c379
Instruction Fuzzy Hash: 6B21E6B5D002099FDB10CF9AD885BDEBFF4EB48320F14841AE918A3750D375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 014DE020 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 014DE090

Memory Dump Source

Source File: 0000000F.00000002.3010660107.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_14d0000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 16b348e155b6e3b214d27f47a9f04f95ad647b2a47978bc086227ecca151f4bc
Instruction ID: 052fc67a6148b940b29e507dc4f827a54ad251436cfe9010fd1c92c13d238a52
Opcode Fuzzy Hash: 16b348e155b6e3b214d27f47a9f04f95ad647b2a47978bc086227ecca151f4bc
Instruction Fuzzy Hash: 0D1149728002499FDB20DF9AD845BDEFFF4EB48320F14842AE558A7650D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014DD1E4 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 014DE090

Memory Dump Source

Source File: 0000000F.00000002.3010660107.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_14d0000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 03eccb971aef4ca25623714507ebab3889308496aa1e4b18aacc129b2f61847f
Instruction ID: 27992bac8c8823db9b7e81feabda49023a4ff1ea1f06c50abdb03567c3773ee4
Opcode Fuzzy Hash: 03eccb971aef4ca25623714507ebab3889308496aa1e4b18aacc129b2f61847f
Instruction Fuzzy Hash: 2A1146B18006099FDB20DF9AD845BDEBFF4FB48320F10842AE558B7251D379A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 1808, Parent PID: 5204COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	0

Executed Functions

Function 02EDD130 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02EDD5FE,?,?,?,?,?), ref: 02EDD6BF

Memory Dump Source

Source File: 00000012.00000002.3004787361.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ed0000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2514e1fae6689df480575d8184264b3fb2180ab74356140dea7d463115333737
Instruction ID: 0f5118ab06929f2bd5ffafb2d07eaff724e91e63c862cebe8f73add8b6845822
Opcode Fuzzy Hash: 2514e1fae6689df480575d8184264b3fb2180ab74356140dea7d463115333737
Instruction Fuzzy Hash: 2B21E5B59002089FDB10CF9AD984ADEBFF4EB48314F14845AE919A7350D379A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EDD630 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02EDD5FE,?,?,?,?,?), ref: 02EDD6BF

Memory Dump Source

Source File: 00000012.00000002.3004787361.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ed0000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0f572c9e154da082a9d8589f1672b27f91d832f7c255aac4d4d77bf875fcfc6f
Instruction ID: 40afda476d1d8bc3418a5322fa89161278c9edec88ee7fda0cd8bc7f1c2e4fe3
Opcode Fuzzy Hash: 0f572c9e154da082a9d8589f1672b27f91d832f7c255aac4d4d77bf875fcfc6f
Instruction Fuzzy Hash: F52119B5D002089FDB10CF9AD984ADEBFF4FB48714F14801AE918A3310D378A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02EDE020 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 02EDE090

Memory Dump Source

Source File: 00000012.00000002.3004787361.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ed0000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 9eb50232ea32102a6c0eddefdfc938d1b6c806df3f3a5d86a9c9ee1e3f8c9890
Instruction ID: dfd11cbc87c379f1bfa8fb3bb9250b0404d8a63292bb6fc8a98618a169864ce9
Opcode Fuzzy Hash: 9eb50232ea32102a6c0eddefdfc938d1b6c806df3f3a5d86a9c9ee1e3f8c9890
Instruction Fuzzy Hash: C61146718002099FDB20DF9AD845BDEFBF4FF48324F248429E958A7650D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EDD1E4 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 02EDE090

Memory Dump Source

Source File: 00000012.00000002.3004787361.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2ed0000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: dd30510507edac23a7b4f894c9f166a0e43440c904292f362980530a3119e96b
Instruction ID: 8b1a66785e20e62652c1385f16007e96a9f32d6c46a4e91238e579d12e576d9b
Opcode Fuzzy Hash: dd30510507edac23a7b4f894c9f166a0e43440c904292f362980530a3119e96b
Instruction Fuzzy Hash: B21146719006099FDB20DF9AD848BDEBBF8FF48324F548429E958A7250D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 3552, Parent PID: 4548COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	31
Total number of Limit Nodes:	0

Executed Functions

Function 0098D130 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0098D5FE,?,?,?,?,?), ref: 0098D6BF

Memory Dump Source

Source File: 00000018.00000002.2943592415.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_980000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a545a743b052b4d4d159ab7dc1b1065d04e4815656a52ee7325a43d0c1185e96
Instruction ID: a506639a94714bdda24d90558eebbcf0645fbe3fa05fed5ab8589e7524dc5d3e
Opcode Fuzzy Hash: a545a743b052b4d4d159ab7dc1b1065d04e4815656a52ee7325a43d0c1185e96
Instruction Fuzzy Hash: 7C21E5B590120CEFDB10DF99D484ADEBBF8EB48310F14845AE919B7350D379A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0098D630 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0098D5FE,?,?,?,?,?), ref: 0098D6BF

Memory Dump Source

Source File: 00000018.00000002.2943592415.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_980000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: caed588b7dc450fe3cfa6c729d1b724eaaa3fa4fcc5e93f6c3a96e8494bd1946
Instruction ID: 5e7692f7dea9bb4fd84e85738ea84814c95ba77b48b734a2b015a63b77374610
Opcode Fuzzy Hash: caed588b7dc450fe3cfa6c729d1b724eaaa3fa4fcc5e93f6c3a96e8494bd1946
Instruction Fuzzy Hash: 2721F2B5801209DFDB10DFA9D984ADEBBF4EB48320F14841AE918B7360D378A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0098D1E4 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0098E090

Memory Dump Source

Source File: 00000018.00000002.2943592415.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_980000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 7d75b0491b9ec79068c395a8ab695d5ce3b90b0ee8ed17e2b541e9e4038d5b66
Instruction ID: 27dc327a362d6369292bcf870a1c2b4a4be43707b97411a725dd3c9818f1cc72
Opcode Fuzzy Hash: 7d75b0491b9ec79068c395a8ab695d5ce3b90b0ee8ed17e2b541e9e4038d5b66
Instruction Fuzzy Hash: 771134718047099FDB20EF9AD844BEEBBF8EB48320F108429E558A7251D379A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0098E020 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0098E090

Memory Dump Source

Source File: 00000018.00000002.2943592415.0000000000980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_980000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: baad711903f3b8f16c73d323b3098e4fa0566fcaa4ea95c7a3a56769af032a1f
Instruction ID: 510e92c6972a279478817552afaa4787f04eb957a7bae4b32430c12fff640700
Opcode Fuzzy Hash: baad711903f3b8f16c73d323b3098e4fa0566fcaa4ea95c7a3a56769af032a1f
Instruction Fuzzy Hash: 69113775800609DFDB20DF99D944BDEFBF4EB88320F148419E568A7350D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 4032, Parent PID: 5204COMMON

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	31
Total number of Limit Nodes:	0

Executed Functions

Function 00B0D630 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B0D5FE,?,?,?,?,?), ref: 00B0D6BF

Memory Dump Source

Source File: 0000001F.00000002.2969304008.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b00000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ff21cdc11da96d6a15c26f8a730238f996adae8f5e4e4d7fd104a5dd80033be6
Instruction ID: 8cad63843063e93842cad86c52cb221a53ad5b8f382a4ee8090bf453ca49fd51
Opcode Fuzzy Hash: ff21cdc11da96d6a15c26f8a730238f996adae8f5e4e4d7fd104a5dd80033be6
Instruction Fuzzy Hash: 1F2103B5C00248AFDB10CFAAD884AEEBFF4EB48310F14845AE959A7350D379A955CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D130 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B0D5FE,?,?,?,?,?), ref: 00B0D6BF

Memory Dump Source

Source File: 0000001F.00000002.2969304008.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b00000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f569ba863a83522a38ea35b19d5f79f74c7d3d8f9e48d4a3efbe9b560dd8c1cc
Instruction ID: 2a04830e2c36356986d9b3afafa811f90d0eb7771f8732affeed293c34e1b93d
Opcode Fuzzy Hash: f569ba863a83522a38ea35b19d5f79f74c7d3d8f9e48d4a3efbe9b560dd8c1cc
Instruction Fuzzy Hash: 8621E5B59002489FDB10CFA9D884AEEBFF4FB48310F14845AE919A7350D379A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B0E020 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 00B0E090

Memory Dump Source

Source File: 0000001F.00000002.2969304008.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b00000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 4cc772cc6a6d88c442d69aa81ac7d92eee7866e3629b8186a6cf76be9546911c
Instruction ID: 9eadca92cb51457b5d670b1c5bc99f5d19fec11b9b78741652670839554c9e34
Opcode Fuzzy Hash: 4cc772cc6a6d88c442d69aa81ac7d92eee7866e3629b8186a6cf76be9546911c
Instruction Fuzzy Hash: A41156718003499FDB10DF9AD844BDEFFF4EB48310F14845AE568A7251D379A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D1E4 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 00B0E090

Memory Dump Source

Source File: 0000001F.00000002.2969304008.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_31_2_b00000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: b657cddf169fd9499792aa18dff9683dc83a9e51bc92410398142cae2396bd78
Instruction ID: 92db4f802ce35d2e2a5024eebce3bc074c2f0a1f9fdf7f46b0ea5952b5f0c51e
Opcode Fuzzy Hash: b657cddf169fd9499792aa18dff9683dc83a9e51bc92410398142cae2396bd78
Instruction Fuzzy Hash: 1B1146718006499FDB20DF9AD885BDEBFF8FB48320F148469E568A7251D379A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 6268, Parent PID: 5204COMMON

Executed Functions

Function 0090D130 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0090D5FE,?,?,?,?,?), ref: 0090D6BF

Memory Dump Source

Source File: 00000023.00000002.2917747800.0000000000900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_900000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e75cd445067b322c7aaaa3f6ea19568a322d8fed2cca54ecbad9d422f2c5358d
Instruction ID: 3deb0e6e75fa7be460cb181564afa60627b4312e70e0a7757ea66a6b81dbb811
Opcode Fuzzy Hash: e75cd445067b322c7aaaa3f6ea19568a322d8fed2cca54ecbad9d422f2c5358d
Instruction Fuzzy Hash: 9321E7B59013089FDB10CF99D584ADEBBF8EB48310F14841AE919A7350D379A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0090D630 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0090D5FE,?,?,?,?,?), ref: 0090D6BF

Memory Dump Source

Source File: 00000023.00000002.2917747800.0000000000900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_900000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4224dd33fb795b40e4c611971fac3c77c0f302112d8a7664f3999d6f0d98ad02
Instruction ID: 1de6ca6ce547a9696a781ec4db5b781567aadb36e0ff65ed676e221e29b91f68
Opcode Fuzzy Hash: 4224dd33fb795b40e4c611971fac3c77c0f302112d8a7664f3999d6f0d98ad02
Instruction Fuzzy Hash: 0821E5B5D01208AFDB10CF99D584ADEBFF4FB48310F14841AE918A7350D3799955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0090D1E4 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0090E090

Memory Dump Source

Source File: 00000023.00000002.2917747800.0000000000900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_900000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 84c774d14a6afc4ec0decf3e7befcb5cb6d865607bc60ce20e48570255f4fd80
Instruction ID: 86e8a0fe97e256dbbf100daf88792cd2844687332892252b0d4547d41a169e83
Opcode Fuzzy Hash: 84c774d14a6afc4ec0decf3e7befcb5cb6d865607bc60ce20e48570255f4fd80
Instruction Fuzzy Hash: 351146718047099FDB20DF9AD844BEEBBF8FB48320F148429E558A7250D379A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0090E020 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 0090E090

Memory Dump Source

Source File: 00000023.00000002.2917747800.0000000000900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_900000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a592a859f225a98bc0481fdda95588c56b4204a0de3a08c97e4b2cbcd34c6947
Instruction ID: f4c7514fe6798e1b5990109d8c6148b37b7f257089685030d13268b22c03d056
Opcode Fuzzy Hash: a592a859f225a98bc0481fdda95588c56b4204a0de3a08c97e4b2cbcd34c6947
Instruction Fuzzy Hash: 81113475804209DFDB20DF9AD944BEEBBF5EB88320F248429E558A7250D379A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 5372, Parent PID: 4548COMMON

Executed Functions

Function 00C1D130 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C1D5FE,?,?,?,?,?), ref: 00C1D6BF

Memory Dump Source

Source File: 00000024.00000002.3012223330.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_c10000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eecc60393fb254e5898def52474092bf7f60d20af0a2e47b0e81d8c8a26323ee
Instruction ID: dd6ce2d93609ff7f12a7bd0bc9cd7eef7c4c53d5396576b794f5209a81111182
Opcode Fuzzy Hash: eecc60393fb254e5898def52474092bf7f60d20af0a2e47b0e81d8c8a26323ee
Instruction Fuzzy Hash: 8721E6B5900308EFDB10CF9AD484ADEBBF8FB48710F14841AE959A7350D378A954DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D630 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C1D5FE,?,?,?,?,?), ref: 00C1D6BF

Memory Dump Source

Source File: 00000024.00000002.3012223330.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_c10000_Pinball.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b91a8424893bc730a0a16edfae4e4ff07116b448e24bd310c6af12fab304e059
Instruction ID: aaaec10fcf2a1edd48a03c2499d3710861959ec9d5969487af3070baeecbcea1
Opcode Fuzzy Hash: b91a8424893bc730a0a16edfae4e4ff07116b448e24bd310c6af12fab304e059
Instruction Fuzzy Hash: 3F2116B5900248EFDB10CFAAD484ADEBFF8FB48710F14841AE958A3350D378A954CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D1E4 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 00C1E090

Memory Dump Source

Source File: 00000024.00000002.3012223330.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_c10000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: dbb6ac78c335c604677a95ca2f154fc0f9929617fdb036edcf1fba6f2c19d054
Instruction ID: 1f3b7611789b4b1c071151c5aa8f27d8171efe89cdbfa008231d352a2d28124a
Opcode Fuzzy Hash: dbb6ac78c335c604677a95ca2f154fc0f9929617fdb036edcf1fba6f2c19d054
Instruction Fuzzy Hash: DE1137718006099FDB20DF9AD844BDEBBF4EB48710F108429E958A7250D378A984DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C1E020 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(00000057,00000000,?,?), ref: 00C1E090

Memory Dump Source

Source File: 00000024.00000002.3012223330.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_c10000_Pinball.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 4765eef4fe49c97443dc68582e7f1725b225e0699fc17bfafceac0c7a80d1192
Instruction ID: e673dd50663106b52e959c7378d0e865d24b52f33824e5554ed052f5599d41b1
Opcode Fuzzy Hash: 4765eef4fe49c97443dc68582e7f1725b225e0699fc17bfafceac0c7a80d1192
Instruction Fuzzy Hash: 911137728002499FDB20DF9AD844BDEBBF4EB88720F14841AE568A3251D379A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\huge[1].dat

C:\Users\user\AppData\Local\Temp\nsc77A8.tmp\liteFirewall.dll

C:\Users\user\AppData\Local\Temp\nslCE96.tmp

C:\Users\user\AppData\Local\Temp\nslCE97.tmp\INetC.dll

C:\Users\user\AppData\Local\Temp\nslCE97.tmp\nsProcess.dll

C:\Users\user\AppData\Local\Temp\nsy8A1.tmp

C:\Users\user\AppData\Local\Temp\setup.exe

C:\Users\user\AppData\Roaming\Pinball\Del.exe

C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dll

C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll

C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.xml

C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe

C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll

C:\Users\user\AppData\Roaming\Pinball\cef.pak

C:\Users\user\AppData\Roaming\Pinball\cef_100_percent.pak

C:\Users\user\AppData\Roaming\Pinball\cef_200_percent.pak

C:\Users\user\AppData\Roaming\Pinball\cef_extensions.pak

Windows Analysis Report
SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre