Edit tour

Windows Analysis Report
SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe
Analysis ID:	1432522
MD5:	f44bcedfb71262dd1484bcbb63122ba5
SHA1:	b528fc9a7053622bb1495a2d985dc72ef433417c
SHA256:	ac8d45e6a98571d5d6c67f7b60cfdc84e2838f20d815d29e7a229539ab89c468
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Machine Learning detection for dropped file

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe (PID: 7316 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe" MD5: F44BCEDFB71262DD1484BCBB63122BA5)

setup.exe (PID: 7712 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: 83EE268A49F0D5FDF1B4A5C56788A0C0)

Pinball.exe (PID: 7924 cmdline: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 3328 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=2952 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 5480 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3188 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 6400 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3268 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 6536 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4045911343 --mojo-platform-channel-handle=3580 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 6352 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4045972981 --mojo-platform-channel-handle=3624 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 7668 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4052668776 --mojo-platform-channel-handle=4388 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 7660 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4052757136 --mojo-platform-channel-handle=4392 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 6356 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4056196846 --mojo-platform-channel-handle=4504 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 6384 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4056264728 --mojo-platform-channel-handle=4348 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 7772 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4057464444 --mojo-platform-channel-handle=4036 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 3740 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4061594367 --mojo-platform-channel-handle=4628 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 3916 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 5228 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 7264 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 764 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 984 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 5552 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 6648 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 7784 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 6736 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 7824 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 7628 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 1168 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 2176 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 2920 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 4556 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 928 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 6048 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 3872 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 6228 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 6684 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

Pinball.exe (PID: 5432 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: AF559066C28515850117F3C93146F67F)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 7712, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pinball

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Avira: detection malicious, Label: HEUR/AGEN.1352426

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	Virustotal: Detection: 8%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Virustotal: Detection: 8%	Perma Link
Source: C:\Users\user\AppData\Roaming\Pinball\Del.exe	Virustotal: Detection: 13%	Perma Link
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Virustotal: Detection: 15%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Pinball\Del.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Joe Sandbox ML: detected

Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pinball

Jump to behavior

Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: nsv27F2.tmp.4.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: nsv27F2.tmp.4.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\Pinball\swiftshader\Xilium.CefGlue.pdb source: setup.exe, 00000004.00000002.2753227706.00000000004E1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000003.2750914117.00000000004E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: nsv27F2.tmp.4.dr
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\vk_swiftshader.dll.pdb source: vk_swiftshader.dll.4.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: nsv27F2.tmp.4.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: h:\work\newContent\secondBranch\DeleteProgram\DeleteProgram\obj\Release\KlMain.pdb source: nsv27F2.tmp.4.dr
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: Pinball.exe, 0000000C.00000002.2806351524.0000000006497000.00000002.00000001.01000000.0000000E.sdmp, nsv27F2.tmp.4.dr
Source:	Binary string: e:\work\newContent\secondBranch\new\Pinball\obj\Release\Pinball.pdb source: Pinball.exe, 00000006.00000000.2283800354.0000000000AB2000.00000002.00000001.01000000.0000000B.sdmp, nsv27F2.tmp.4.dr
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: Pinball.exe, 0000000C.00000002.2806351524.0000000006497000.00000002.00000001.01000000.0000000E.sdmp, nsv27F2.tmp.4.dr
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: Pinball.exe, 0000000D.00000002.2628760962.00000000052D2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: Pinball.exe, Pinball.exe, 0000000D.00000002.2628760962.00000000052D2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000004.00000002.2753227706.00000000004E1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000003.2750914117.00000000004E1000.00000004.00000020.00020000.00000000.sdmp, nsv27F2.tmp.4.dr
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000004.00000002.2753227706.00000000004E1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000003.2750914117.00000000004E1000.00000004.00000020.00020000.00000000.sdmp, nsv27F2.tmp.4.dr
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\Pinball\Pinball.exeirewall.dlll.pdbC:\Users\user\AppData\Roaming\Pinball\Uninstall.exeinballll source: setup.exe, 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\Pinball\swiftshader\Xilium.CefGlue.pdb# source: setup.exe, 00000004.00000002.2753227706.00000000004E1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000003.2750914117.00000000004E1000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Directory queried: number of queries: 1466

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Code function: 0_2_00405B6F CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405B6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Code function: 0_2_00406724 FindFirstFileA,FindClose,	0_2_00406724
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Code function: 0_2_004027AA FindFirstFileA,	0_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 4_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 4_2_004066FF FindFirstFileA,FindClose,	4_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 4_2_004027AA FindFirstFileA,	4_2_004027AA

Source: Joe Sandbox View	IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View	IP Address: 139.45.195.8 139.45.195.8
Source: Joe Sandbox View	IP Address: 139.45.197.238 139.45.197.238
Source: Joe Sandbox View	IP Address: 139.45.197.238 139.45.197.238

Source: Pinball.exe, 00000010.00000002.2559260857.0000000003089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: Pinball.exe, 00000010.00000002.2559260857.0000000003089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: Pinball.exe, 00000010.00000002.2559260857.0000000003089000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bageyou.xyz
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/275944
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/378067
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/437891.
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/456214
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/497301
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/510270
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/514696
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/642141
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/672186).
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/717501
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/775961
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/819404
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/839189
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/932466
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crbug.com/957772
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: Pinball.exe	String found in binary or memory: http://logging.apache.org/log4ne
Source: Pinball.exe, 0000000D.00000002.2628760962.00000000052D2000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: setup.exe, setup.exe, 00000004.00000000.1923487937.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmp, setup.exe, 00000004.00000003.2283879463.000000000050C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Pinball.exe, Pinball.exe, 0000000D.00000002.2628760962.00000000052D2000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.apache.org/).
Source: Pinball.exe, Pinball.exe, 0000000D.00000002.2628760962.00000000052D2000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: Pinball.exe	String found in binary or memory: http://www.apache.org/licenses/LICEN
Source: Pinball.exe, 0000000D.00000002.2628760962.00000000052D2000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nsv27F2.tmp.4.dr	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: Pinball.exe, 0000000D.00000002.2807094632.0000000005F5D000.00000002.00000001.00040000.0000001E.sdmp, Pinball.exe, 0000000D.00000002.2807094632.00000000061C5000.00000002.00000001.00040000.0000001E.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, 00000000.00000003.2761208977.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, 00000000.00000003.1996917879.000000000073D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zhngxie.wf/22_2/huge.dat
Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, 00000000.00000003.2761208977.00000000006F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zhngxie.wf/22_2/huge.datystem32
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://accounts.google.com/
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitpanda.pxf.io/c/4484296/1834392/15871
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bitpanda.pxf.io/c/4484296/1834392/15871?level=1&brwsr=f029ce95-0493-11ef-b92b-19e57e74f5e7&b
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://chrome.google.com/webstore
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://chrome.google.com/webstore/
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: el.pak.4.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=el&category=theme81https://myactivity.google.com/myactivity/?u
Source: el.pak.4.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=elCtrl$1
Source: Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: lt.pak.4.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?u
Source: lt.pak.4.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ltCtrl$1
Source: th.pak.4.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=th&category=theme81https://myactivity.google.com/myactivity/?u
Source: th.pak.4.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=thCtrl$1
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://codereview.chromium.org/25305002).
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json/issues/652
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my.rtmark.net/img.gif?f=merge&userId=00804bba271f4a10f242e50f49f81686&z=6118780&p_rid=6bdb21
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my.rtmark.net/img.gif?f=merge&userId=00804bba271f4a10f242e50f49f81686&z=6475485&p_rid=c96a1e
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://myactivity.google.com/
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://passwords.google.com
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://passwords.google.comGoogle
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comT
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://policies.google.com/
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://raw.githubusercontent.com/rust-lang/rust/
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/4/6118780/?var=6475485&btz=Europe/Zurich&bto=-120&bar=x
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/4/6475485/?ymid=807743399846227968&var=6475484&price=
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/?z=6118780&syncedCookie=false&rhd=false
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/?z=6475485&syncedCookie=true&rhd=false
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=6bdb2147-d92b-4318-83ac-
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=c96a1ea6-52b5-4b09-88f4-
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/sftouch?userId=00804bba271f4a10f242e50f49f81686&z=6118780&p_rid=6bdb2147-d92b-
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rouonixon.com/sftouch?userId=00804bba271f4a10f242e50f49f81686&z=6475485&p_rid=c96a1ea6-52b5-
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: Pinball.exe, Pinball.exe, 0000000D.00000002.2693464321.0000000005316000.00000002.00000001.01000000.0000000D.sdmp, Pinball.exe, 0000000D.00000002.2628760962.00000000052D2000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: devtools_resources.pak.4.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://www.google.com/
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, el.pak.4.dr, th.pak.4.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: lt.pak.4.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlP&agalbaTvarko
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://www.google.com/cloudprint
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: nsv27F2.tmp.4.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ojrq.net/p/?return=https%3A%2F%2Fbitpanda.pxf.io%2Fc%2F4484296%2F1834392%2F15871%3Flevel

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Code function: 0_2_0040560C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040560C

Source: Pinball.exe

Process created: 62

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Code function: 0_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034F1
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 4_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004034CC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Code function: 0_2_004073D5	0_2_004073D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Code function: 0_2_00406BFE	0_2_00406BFE
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 4_2_00406A88	4_2_00406A88
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 9_2_02D24F58	9_2_02D24F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 9_2_02D23860	9_2_02D23860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 9_2_02D21049	9_2_02D21049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 10_2_00A54F58	10_2_00A54F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 10_2_00A51049	10_2_00A51049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 11_2_012A4F58	11_2_012A4F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 11_2_012A3860	11_2_012A3860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 11_2_012A1049	11_2_012A1049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 12_2_02F44F58	12_2_02F44F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 12_2_02F4F660	12_2_02F4F660
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 12_2_02F43860	12_2_02F43860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 12_2_02F41049	12_2_02F41049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 13_2_01044F58	13_2_01044F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 14_2_02724F58	14_2_02724F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 14_2_02723860	14_2_02723860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 14_2_02721049	14_2_02721049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 16_2_017C4F58	16_2_017C4F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 16_2_017C1049	16_2_017C1049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 35_2_02D24F58	35_2_02D24F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 35_2_02D23860	35_2_02D23860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 35_2_02D21049	35_2_02D21049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 36_2_00904F58	36_2_00904F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 36_2_00903860	36_2_00903860

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nscA9C6.tmp\liteFirewall.dll 9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD

Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameinetc.dllF vs SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Ionic.Zip.dll.4.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.4.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.4.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: Pinball.exe.4.dr, Program.cs

Base64 encoded string: 'YnDWRTK8r6c5zojEHfUjeYwq0KxHWR+kIviH+oUeBmds6Pr+b0Lthdo9nMNShM5A', 'uhF3LXt5Qt0SLDsY6jfyKSSlfd9Ezl9Up389h1W37Y/oAytoVzXDNS/gLcjj5XuIS0iGFBdDAF/gm6UkILWXEw==', 'hv1YFdCloYEyNLL66IoGjGTxOTBY2NeHdp99I3M2Dc7EklUS2DDtd/pnThB1AYI73FQhrOcyo6KuIuWkNrjEqfrp6k8BICmSOM903cv6jAgnSEOe9p/xcLl3Mk0X7WLkX6D1VUt+mX38n0a7kJGZ4Rb3+6D/6DPrY9TzCT5BpK0nUsHeEal7SbMdKkWEd6MlSLCKFui8nIa1JI/0At54rQqsGGbAgrrXdOmMqk4lkS5xhfMyIQnsPdMjCu4BEY0U8elUov1/KXn0GUyc5TNXIz8FBdiPnm5sn9N3WjyFamSGU3EH0Lff/rE9wpGrj46162POsE9ffEVN+CKdkvZjD/FKVqu+U8JCMX2Gp4A1NdGFt5hVppGScW/5HFcp3Rd4fd1J8Cv9Qwz6JTytIvADm0rFYdphgtxjI6qd2Y61/WbY20s6jozxOnLj9kj+EGf4VTLVNGBVQYVrB+vO9sPhgE9E5WiKWiCg9Yxkkfh4YBqAjGHFxOxmKbMPo3TZjo4FRsKsB4q4s7UsHn/8N1GjWjmizdMizrYDlEEdrIFXW7IBo/8df0QQRpcaHSS5ZmgIQ54XdJVOIagY/aoAHtDEPDhlZfS1YNwJLOwtEAse7EzysSQ9GxoxF3StysRzUu7TqUDfDrGLT8S1sxQyD85X0oLFWsolntFx1Gdy1h4ET6g=', 'ZGKx5mLA9vBAqLs21stTAbmThEpfcFrMykeBU2FZhhf3SKrnIolQtcUkZ/ZKWO2L', 'gODqJ8Vax0I4p/vGQ4gzkik+3WFtkCZ3ZEeKdAsOFii7fQ+Ph6PGfEIsIbgT1zz5', 'lkvtt2V6/DTOG1zApUFAi8pqfxgcisb51XmHndTPri89/rzMOf2gdXVSZDPTnLj3', 'pKNq+i1BQH1trhQxDa1G6wibfsjJ/DtvxUe5NQnmf8X9xPvZmCEA9WugtRzKfnSU', 'iEmZ4we9rYJkd7WZCZGRcb5J+UXELGIQ6tCUcbgPjYc5deoZ+XEC8yjloH7ONoUj', 'Vo9CIFOR1kmvDWx6uQeHtEXQ5qa4BDLa5MRdciEbQBS4mYRY4BKpkieJ6xzZ0U8Z', 'PC8CaCO0/46j5GQp9fOMQLN1vghtC/afWyKFxwnIUU2Dz6Z9Bv4bZG1+v+3lOVn/diCrBV4zH2zquMy0Z2Rcww==', 'PC8CaCO0/46j5GQp9fOMQLN1vghtC/afWyKFxwnIUU0okcjVbIPIJIEWejv2fOnqDhNsx6LXM9iq7Q2uAY3Tiw=='

Source: vk_swiftshader.dll.4.dr	Binary string: ..\..\third_party\swiftshader\src\Device\Sampler.hpp
Source: vk_swiftshader.dll.4.dr	Binary string: ..\..\third_party\swiftshader\src\Device\Blitter.cpp
Source: vk_swiftshader.dll.4.dr	Binary string: ..\..\third_party\swiftshader\src\Device\Context.cpp%s:%d WARNING: UNSUPPORTED: VkIndexType %d
Source: vk_swiftshader.dll.4.dr	Binary string: ..\..\third_party\swiftshader\src\Device\Context.cpp
Source: vk_swiftshader.dll.4.dr	Binary string: ..\..\third_party\swiftshader\src\Device\Sampler.hpp%s:%d WARNING: UNSUPPORTED: VkImageViewType %d
Source: vk_swiftshader.dll.4.dr	Binary string: ..\..\third_party\swiftshader\src\Device\Blitter.cpp%s:%d WARNING: UNSUPPORTED: Blitter source format %d
Source: vk_swiftshader.dll.4.dr	Binary string: =..\..\third_party\swiftshader\src\Device\Renderer.cpp%s:%d WARNING: UNSUPPORTED: polygon mode: %d
Source: vk_swiftshader.dll.4.dr	Binary string: =..\..\third_party\swiftshader\src\Device\Renderer.cpp

Source: classification engine

Classification label: mal68.winEXE@273/112@0/17

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Code function: 0_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034F1
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 4_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		4_2_004034CC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Code function: 0_2_004048BC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004048BC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Code function: 0_2_00402173 CoCreateInstance,MultiByteToWideChar,

0_2_00402173

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

File created: C:\Users\user\AppData\Roaming\Pinball

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_Pinball_Logs_mainLog.txt
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_Pinball_Logs_rendLog.txt

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

File created: C:\Users\user\AppData\Local\Temp\nswC34C.tmp

Jump to behavior

Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Virustotal: Detection: 15%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe "C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=2952 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3188 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3268 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4045911343 --mojo-platform-channel-handle=3580 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4045972981 --mojo-platform-channel-handle=3624 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4052668776 --mojo-platform-channel-handle=4388 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4052757136 --mojo-platform-channel-handle=4392 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4056196846 --mojo-platform-channel-handle=4504 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4056264728 --mojo-platform-channel-handle=4348 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4057464444 --mojo-platform-channel-handle=4036 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4061594367 --mojo-platform-channel-handle=4628 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Process created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=2952 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3188 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3268 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4045911343 --mojo-platform-channel-handle=3580 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4045972981 --mojo-platform-channel-handle=3624 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4052668776 --mojo-platform-channel-handle=4388 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4052757136 --mojo-platform-channel-handle=4392 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4056196846 --mojo-platform-channel-handle=4504 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4056264728 --mojo-platform-channel-handle=4348 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4057464444 --mojo-platform-channel-handle=4036 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4061594367 --mojo-platform-channel-handle=4628 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: chrome_elf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mdmregistration.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mdmregistration.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: omadmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iri.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.gaming.input.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: xinput1_4.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: chrome_elf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: chrome_elf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: chrome_elf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: dwritecore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Section loaded: userenv.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Pinball

Jump to behavior

Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: nsv27F2.tmp.4.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: nsv27F2.tmp.4.dr
Source:	Binary string: C:\Users\user\AppData\Roaming\Pinball\swiftshader\Xilium.CefGlue.pdb source: setup.exe, 00000004.00000002.2753227706.00000000004E1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000003.2750914117.00000000004E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: nsv27F2.tmp.4.dr
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\vk_swiftshader.dll.pdb source: vk_swiftshader.dll.4.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: nsv27F2.tmp.4.dr
Source:	Binary string: libEGL.dll.pdb source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: h:\work\newContent\secondBranch\DeleteProgram\DeleteProgram\obj\Release\KlMain.pdb source: nsv27F2.tmp.4.dr
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: Pinball.exe, 0000000C.00000002.2806351524.0000000006497000.00000002.00000001.01000000.0000000E.sdmp, nsv27F2.tmp.4.dr
Source:	Binary string: e:\work\newContent\secondBranch\new\Pinball\obj\Release\Pinball.pdb source: Pinball.exe, 00000006.00000000.2283800354.0000000000AB2000.00000002.00000001.01000000.0000000B.sdmp, nsv27F2.tmp.4.dr
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: Pinball.exe, 0000000C.00000002.2806351524.0000000006497000.00000002.00000001.01000000.0000000E.sdmp, nsv27F2.tmp.4.dr
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: Pinball.exe, 0000000D.00000002.2628760962.00000000052D2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: Pinball.exe, Pinball.exe, 0000000D.00000002.2628760962.00000000052D2000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000004.00000002.2753227706.00000000004E1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000003.2750914117.00000000004E1000.00000004.00000020.00020000.00000000.sdmp, nsv27F2.tmp.4.dr
Source:	Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000004.00000002.2753227706.00000000004E1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000003.2750914117.00000000004E1000.00000004.00000020.00020000.00000000.sdmp, nsv27F2.tmp.4.dr
Source:	Binary string: libGLESv2.dll.pdb source: setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: *?\|<>/":%s%s.dllC:\Users\user\AppData\Roaming\Pinball\Pinball.exeirewall.dlll.pdbC:\Users\user\AppData\Roaming\Pinball\Uninstall.exeinballll source: setup.exe, 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\Pinball\swiftshader\Xilium.CefGlue.pdb# source: setup.exe, 00000004.00000002.2753227706.00000000004E1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000003.2750914117.00000000004E1000.00000004.00000020.00020000.00000000.sdmp

Source: Newtonsoft.Json.dll.4.dr

Static PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]

Source: libEGL.dll.4.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.4.dr	Static PE information: section name: .voltbl
Source: libGLESv2.dll.4.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.4.dr	Static PE information: section name: .voltbl
Source: chrome_elf.dll.4.dr	Static PE information: section name: .00cfg
Source: chrome_elf.dll.4.dr	Static PE information: section name: .crthunk
Source: chrome_elf.dll.4.dr	Static PE information: section name: CPADinfo
Source: chrome_elf.dll.4.dr	Static PE information: section name: malloc_h
Source: libEGL.dll0.4.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.4.dr	Static PE information: section name: .00cfg
Source: libcef.dll.4.dr	Static PE information: section name: .00cfg
Source: libcef.dll.4.dr	Static PE information: section name: .rodata
Source: libcef.dll.4.dr	Static PE information: section name: CPADinfo
Source: libcef.dll.4.dr	Static PE information: section name: malloc_h

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Code function: 0_3_0284ADB0 push edi; iretd		0_3_0284ADB1
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Code function: 12_2_02F4E8A9 push eax; retf		12_2_02F4E8B5

Source: Ionic.Zip.dll.4.dr

Static PE information: section name: .text entropy: 6.821349263259562

Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\chrome_elf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	File created: C:\Users\user\AppData\Local\Temp\nswC34E.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	File created: C:\Users\user\AppData\Local\Temp\nswC34E.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	File created: C:\Users\user\AppData\Local\Temp\nswC34E.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nscA9C6.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	File created: C:\Users\user\AppData\Local\Temp\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Pinball			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Pinball			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 22E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 12A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2B30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2F40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 5110000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2E40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2720000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 28B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2A90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3030000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2E70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 22D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 25D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 45D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 13E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2F90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2E80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4E80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: B00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 28A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2620000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2A30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4A30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 14B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2F40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 14B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 10C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4AD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: BC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 26A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 14B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 32E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2720000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: E20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 28E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 48E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 11B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2B50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2970000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 7D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: D90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2650000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4650000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 31C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2C50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2E50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2C80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 900000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2730000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 25A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2720000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 25E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 3130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: D90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 1000000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 14A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 2F20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Memory allocated: 4F20000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswC34E.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswC34E.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\libcef.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nswC34E.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Del.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscA9C6.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe TID: 7636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe TID: 8072	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe TID: 7636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe TID: 5180	Thread sleep count: 32 > 30

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Code function: 0_2_00405B6F CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405B6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Code function: 0_2_00406724 FindFirstFileA,FindClose,	0_2_00406724
Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	Code function: 0_2_004027AA FindFirstFileA,	0_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 4_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	4_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 4_2_004066FF FindFirstFileA,FindClose,	4_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Code function: 4_2_004027AA FindFirstFileA,	4_2_004027AA

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: setup.exe, 00000004.00000002.2753227706.0000000000489000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:RR
Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, 00000000.00000003.2761208977.00000000006F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@]s%SystemRoot%\system32\mswsock.dll
Source: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, 00000000.00000003.1997730557.0000000000732000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: setup.exe, 00000004.00000002.2753227706.0000000000489000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: Pinball.exe, 0000000A.00000002.2829293634.00000000008CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	API call chain: ExitProcess graph end node			graph_0-3130
Source: C:\Users\user\AppData\Local\Temp\setup.exe	API call chain: ExitProcess graph end node			graph_4-3655

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=2952 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3188 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3268 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4045911343 --mojo-platform-channel-handle=3580 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4045972981 --mojo-platform-channel-handle=3624 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4052668776 --mojo-platform-channel-handle=4388 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4052757136 --mojo-platform-channel-handle=4392 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4056196846 --mojo-platform-channel-handle=4504 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4056264728 --mojo-platform-channel-handle=4348 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4057464444 --mojo-platform-channel-handle=4036 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4061594367 --mojo-platform-channel-handle=4628 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Code function: 0_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034F1

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Directory queried: number of queries: 1466

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Windows Service	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	11 Process Injection	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	11 Process Injection	LSA Secrets	12 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	11%	ReversingLabs
SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	15%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\setup.exe	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	100%	Avira	HEUR/AGEN.1352426
C:\Users\user\AppData\Roaming\Pinball\Del.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	3%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat	9%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nscA9C6.tmp\liteFirewall.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nscA9C6.tmp\liteFirewall.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nswC34E.tmp\INetC.dll	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nswC34E.tmp\INetC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nswC34E.tmp\blowfish.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nswC34E.tmp\blowfish.dll	4%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nswC34E.tmp\nsProcess.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nswC34E.tmp\nsProcess.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\setup.exe	3%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\setup.exe	9%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Pinball\Del.exe	7%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Del.exe	13%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe	11%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe	3%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Pinball\chrome_elf.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\chrome_elf.dll	1%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Roaming\Pinball\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\libEGL.dll	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	0%	URL Reputation	safe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	0%	URL Reputation	safe
https://rouonixon.com/4/6118780/?var=6475485&btz=Europe/Zurich&bto=-120&bar=x	0%	Avira URL Cloud	safe
http://crbug.com/378067	0%	Avira URL Cloud	safe
https://rouonixon.com/?z=6475485&syncedCookie=true&rhd=false	0%	Avira URL Cloud	safe
http://crbug.com/510270	0%	Avira URL Cloud	safe
http://zhngxie.wf/22_2/huge.dat	0%	Avira URL Cloud	safe
https://bitpanda.pxf.io/c/4484296/1834392/15871?level=1&brwsr=f029ce95-0493-11ef-b92b-19e57e74f5e7&b	0%	Avira URL Cloud	safe
http://zhngxie.wf/22_2/huge.datystem32	0%	Avira URL Cloud	safe
http://crbug.com/510270	0%	Virustotal		Browse
http://crbug.com/378067	0%	Virustotal		Browse
http://crbug.com/497301	0%	Virustotal		Browse
http://zhngxie.wf/22_2/huge.dat	2%	Virustotal		Browse
http://crbug.com/497301	0%	Avira URL Cloud	safe
https://rouonixon.com/log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=6bdb2147-d92b-4318-83ac-	0%	Avira URL Cloud	safe
http://bageyou.xyz	0%	Avira URL Cloud	safe
http://crbug.com/642141	0%	Avira URL Cloud	safe
http://crbug.com/717501	0%	Avira URL Cloud	safe
http://crbug.com/957772	0%	Avira URL Cloud	safe
http://crbug.com/839189	0%	Avira URL Cloud	safe
https://rouonixon.com/sftouch?userId=00804bba271f4a10f242e50f49f81686&z=6475485&p_rid=c96a1ea6-52b5-	0%	Avira URL Cloud	safe
http://crbug.com/839189	0%	Virustotal		Browse
http://bageyou.xyz	0%	Virustotal		Browse
http://crbug.com/819404	0%	Avira URL Cloud	safe
http://crbug.com/957772	0%	Virustotal		Browse
https://rouonixon.com/?z=6475485&syncedCookie=true&rhd=false	4%	Virustotal		Browse
http://crbug.com/514696	0%	Avira URL Cloud	safe
http://crbug.com/717501	0%	Virustotal		Browse
http://api.install-stat.debug.world/clients/installs	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/rust-lang/rust/	0%	Avira URL Cloud	safe
http://crbug.com/775961	0%	Avira URL Cloud	safe
https://rouonixon.com/log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=c96a1ea6-52b5-4b09-88f4-	0%	Avira URL Cloud	safe
https://bitpanda.pxf.io/c/4484296/1834392/15871	0%	Avira URL Cloud	safe
http://crbug.com/819404	0%	Virustotal		Browse
https://raw.githubusercontent.com/rust-lang/rust/	0%	Virustotal		Browse
http://crbug.com/642141	0%	Virustotal		Browse
http://crbug.com/775961	0%	Virustotal		Browse
http://crbug.com/514696	0%	Virustotal		Browse
http://api.install-stat.debug.world/clients/installs	0%	Virustotal		Browse
https://bitpanda.pxf.io/c/4484296/1834392/15871	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash	devtools_resources.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape	devtools_resources.pak.4.dr	false		high
http://www.apache.org/licenses/LICEN	Pinball.exe	false		high
https://support.google.com/chrome/answer/6098869	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter	devtools_resources.pak.4.dr	false		high
https://www.google.com/chrome/privacy/eula_text.html	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, el.pak.4.dr, th.pak.4.dr	false		high
https://rouonixon.com/4/6118780/?var=6475485&btz=Europe/Zurich&bto=-120&bar=x	Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rouonixon.com/?z=6475485&syncedCookie=true&rhd=false	Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	Pinball.exe, 0000000D.00000002.2628760962.00000000052D2000.00000002.00000001.01000000.0000000D.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-Atom	devtools_resources.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#sec-term	devtools_resources.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit	devtools_resources.pak.4.dr	false		high
http://crbug.com/510270	nsv27F2.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit	devtools_resources.pak.4.dr	false		high
https://chrome.google.com/webstore?hl=urCtrl$2	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix	devtools_resources.pak.4.dr	false		high
http://crbug.com/378067	nsv27F2.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://photos.google.com/settings?referrer=CHROME_NTP	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	false		high
https://www.ojrq.net/p/?return=https%3A%2F%2Fbitpanda.pxf.io%2Fc%2F4484296%2F1834392%2F15871%3Flevel	Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence	devtools_resources.pak.4.dr	false		high
https://my.rtmark.net/img.gif?f=merge&userId=00804bba271f4a10f242e50f49f81686&z=6118780&p_rid=6bdb21	Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=ltCtrl$1	lt.pak.4.dr	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	false	URL Reputation: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash	devtools_resources.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier	devtools_resources.pak.4.dr	false		high
http://zhngxie.wf/22_2/huge.dat	SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, 00000000.00000003.2761208977.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, 00000000.00000003.1996917879.000000000073D000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=elCtrl$1	el.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter	devtools_resources.pak.4.dr	false		high
https://www.google.com/cloudprint	nsv27F2.tmp.4.dr	false		high
https://passwords.google.com	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom	devtools_resources.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion	devtools_resources.pak.4.dr	false		high
https://bitpanda.pxf.io/c/4484296/1834392/15871?level=1&brwsr=f029ce95-0493-11ef-b92b-19e57e74f5e7&b	Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://zhngxie.wf/22_2/huge.datystem32	SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, 00000000.00000003.2761208977.00000000006F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crbug.com/497301	nsv27F2.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=th&category=theme81https://myactivity.google.com/myactivity/?u	th.pak.4.dr	false		high
https://github.com/JamesNK/Newtonsoft.Json/issues/652	nsv27F2.tmp.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape	devtools_resources.pak.4.dr	false		high
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	false		high
https://rouonixon.com/log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=6bdb2147-d92b-4318-83ac-	Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape	devtools_resources.pak.4.dr	false		high
http://bageyou.xyz	Pinball.exe, 00000010.00000002.2559260857.0000000003089000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crbug.com/642141	nsv27F2.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://logging.apache.org/log4ne	Pinball.exe	false		high
https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges	devtools_resources.pak.4.dr	false		high
https://support.google.com/chromebook?p=app_intent	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence	devtools_resources.pak.4.dr	false		high
http://crbug.com/717501	nsv27F2.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crbug.com/957772	nsv27F2.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges	devtools_resources.pak.4.dr	false		high
http://crbug.com/839189	nsv27F2.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore	nsv27F2.tmp.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape	devtools_resources.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits	devtools_resources.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape	devtools_resources.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter	devtools_resources.pak.4.dr	false		high
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u	Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	false		high
https://www.google.com/chrome/privacy/eula_text.html&	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?u	lt.pak.4.dr	false		high
https://www.google.com/chrome/privacy/eula_text.htmlT&r	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	false		high
https://rouonixon.com/sftouch?userId=00804bba271f4a10f242e50f49f81686&z=6475485&p_rid=c96a1ea6-52b5-	Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crbug.com/819404	nsv27F2.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape	devtools_resources.pak.4.dr	false		high
https://chrome.google.com/webstore?hl=el&category=theme81https://myactivity.google.com/myactivity/?u	el.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term	devtools_resources.pak.4.dr	false		high
http://crbug.com/514696	nsv27F2.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 0000000D.00000002.2694202965.00000000057E0000.00000002.00000001.00040000.0000001C.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_Error	setup.exe, setup.exe, 00000004.00000000.1923487937.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmp, setup.exe, 00000004.00000003.2283879463.000000000050C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe	false		high
https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=ukCtrl$1	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	false		high
http://api.install-stat.debug.world/clients/installs	Pinball.exe, 00000010.00000002.2559260857.0000000003089000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/jsonschema	nsv27F2.tmp.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative	devtools_resources.pak.4.dr	false		high
https://support.google.com/chrome/a/answer/9122284	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr	false		high
https://raw.githubusercontent.com/rust-lang/rust/	devtools_resources.pak.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits	devtools_resources.pak.4.dr	false		high
https://chrome.google.com/webstore/	nsv27F2.tmp.4.dr	false		high
https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/	nsv27F2.tmp.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern	devtools_resources.pak.4.dr	false		high
https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=zh-CNCtrl$1	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	false		high
https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1	Pinball.exe, Pinball.exe, 0000000D.00000002.2693464321.0000000005316000.00000002.00000001.01000000.0000000D.sdmp, Pinball.exe, 0000000D.00000002.2628760962.00000000052D2000.00000002.00000001.01000000.0000000D.sdmp	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter	devtools_resources.pak.4.dr	false		high
https://support.google.com/chrome/answer/6258784	nsv27F2.tmp.4.dr	false		high
http://www.unicode.org/copyright.html	Pinball.exe, 0000000D.00000002.2807094632.0000000005F5D000.00000002.00000001.00040000.0000001E.sdmp, Pinball.exe, 0000000D.00000002.2807094632.00000000061C5000.00000002.00000001.00040000.0000001E.sdmp	false		high
https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity	setup.exe, 00000004.00000002.2754591301.0000000004955000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=thCtrl$1	th.pak.4.dr	false		high
http://crbug.com/775961	nsv27F2.tmp.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	nsv27F2.tmp.4.dr	false		high
https://www.google.com/chrome/privacy/eula_text.htmlP&agalbaTvarko	lt.pak.4.dr	false		high
https://www.newtonsoft.com/json	nsv27F2.tmp.4.dr	false		high
https://codereview.chromium.org/25305002).	nsv27F2.tmp.4.dr	false		high
https://rouonixon.com/log/add?cid=1db9169f-90f4-4b2d-b517-bc47aab19c1f&ruid=c96a1ea6-52b5-4b09-88f4-	Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bitpanda.pxf.io/c/4484296/1834392/15871	Pinball.exe, 0000000C.00000002.2665227863.0000000003111000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction	devtools_resources.pak.4.dr	false		high
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom	devtools_resources.pak.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
108.138.106.24	unknown	United States	16509	AMAZON-02US	false
139.45.195.8	unknown	Netherlands	9002	RETN-ASEU	false
104.18.33.70	unknown	United States	13335	CLOUDFLARENETUS	false
35.201.76.231	unknown	United States	15169	GOOGLEUS	false
139.45.197.238	unknown	Netherlands	9002	RETN-ASEU	false
34.95.127.121	unknown	United States	15169	GOOGLEUS	false
172.64.154.186	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
52.218.109.168	unknown	United States	16509	AMAZON-02US	false
104.18.8.9	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.65.238	unknown	United States	15169	GOOGLEUS	false
87.230.104.210	unknown	Germany	35329	GD-EMEA-DC-CGN3DE	false
172.67.221.174	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.133.129	unknown	United States	13335	CLOUDFLARENETUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
104.18.33.110	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432522
Start date and time:	2024-04-27 14:42:38 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe
Detection:	MAL
Classification:	mal68.winEXE@273/112@0/17
EGA Information:	Successful, ratio: 27.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 441 Number of non-executed functions: 52
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Connection to analysis system has been lost, crash info: Unknown
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target Pinball.exe, PID 3872 because it is empty
Execution Graph export aborted for target Pinball.exe, PID 5480 because it is empty
Execution Graph export aborted for target Pinball.exe, PID 5552 because it is empty
Execution Graph export aborted for target Pinball.exe, PID 6356 because it is empty
Execution Graph export aborted for target Pinball.exe, PID 6400 because it is empty
Execution Graph export aborted for target Pinball.exe, PID 6536 because it is empty
Execution Graph export aborted for target Pinball.exe, PID 7660 because it is empty
Execution Graph export aborted for target Pinball.exe, PID 7668 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
13:44:31	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Pinball C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
13:44:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Pinball C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
139.45.197.238	http://rndskittytor.com	Get hash	malicious	Unknown	Browse	rndskittytor.com/favicon.ico
	http://whairtoa.com:443	Get hash	malicious	Unknown	Browse	whairtoa.com:443/
	http://deloplen.com/apu.php?zoneid=695986	Get hash	malicious	Unknown	Browse	deloplen.com/apu.php?zoneid=695986
	http://www.footybite.tv/watch/sports-hd1.htm	Get hash	malicious	Unknown	Browse	cdrvrs.com/tag.min.js
	http://soaheeme.net	Get hash	malicious	Unknown	Browse	soaheeme.net/favicon.ico
	http://soaheeme.net	Get hash	malicious	Unknown	Browse	soaheeme.net/favicon.ico
	http://glaurtas.com	Get hash	malicious	Unknown	Browse	glaurtas.com/favicon.ico
1.1.1.1	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
	INVOICE_90990_PDF.exe	Get hash	malicious	FormBook	Browse	www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
	Go.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
108.138.106.24	https://view.monday.com/5161111089-3b1de3a3a1b184303d2fc91e5d6d52c7?r=use1	Get hash	malicious	Unknown	Browse
139.45.195.8	http://ww1.streamm4u.ws	Get hash	malicious	Unknown	Browse
	http://shortens.me	Get hash	malicious	Unknown	Browse
	http://boomba.club	Get hash	malicious	HtmlDropper	Browse
	https://t.co/GwSCNEI0Vc	Get hash	malicious	Unknown	Browse
	http://v9.www-ytmp4.com	Get hash	malicious	Unknown	Browse
	http://playtaku.online	Get hash	malicious	Unknown	Browse
	http://blix.sx	Get hash	malicious	Unknown	Browse
	https://x2mate.com/en83	Get hash	malicious	Unknown	Browse
	https://web.topcinema.cam/	Get hash	malicious	Unknown	Browse
	https://hoanoola.net/4/6246380	Get hash	malicious	Unknown	Browse
104.18.33.70	https://t.co/GwSCNEI0Vc	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RETN-ASEU	http://awhauchoa.net	Get hash	malicious	Unknown	Browse	139.45.197.243
	http://lougougauhi.xyz	Get hash	malicious	Unknown	Browse	139.45.197.244
	kdevtmpfsi	Get hash	malicious	Xmrig	Browse	176.113.81.186
	RrB2CY3rY4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	87.245.240.123
	http://ww1.streamm4u.ws	Get hash	malicious	Unknown	Browse	139.45.197.236
	file.exe	Get hash	malicious	Panda Stealer	Browse	109.94.208.20
	http://shortens.me	Get hash	malicious	Unknown	Browse	139.45.197.251
	Y2lhd5X9NB.exe	Get hash	malicious	Unknown	Browse	109.94.208.20
	http://boomba.club	Get hash	malicious	HtmlDropper	Browse	139.45.197.251
	DWoKcG581L.exe	Get hash	malicious	Tofsee	Browse	85.208.208.90
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.93
	file.exe	Get hash	malicious	LummaC	Browse	104.21.16.225
	ReturnLegend.exe	Get hash	malicious	Stealit	Browse	104.26.13.205
	launcher.jar	Get hash	malicious	Unknown	Browse	162.159.137.232
	launcher.jar	Get hash	malicious	Discord Token Stealer	Browse	162.159.136.232
	YLICY3GBmX.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.90.190
	GcOeQTPzrh.elf	Get hash	malicious	Unknown	Browse	104.26.190.2
	RDFchOT4i0.exe	Get hash	malicious	Unknown	Browse	172.67.181.9
	https://thehitchhouse.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
AMAZON-02US	t7bAVQ2wpF.elf	Get hash	malicious	Unknown	Browse	13.55.99.153
	ZrNKORUSI5.elf	Get hash	malicious	Mirai	Browse	3.193.22.37
	MUm3efxWut.elf	Get hash	malicious	Unknown	Browse	13.61.211.202
	Kryl6TWwj6.elf	Get hash	malicious	Mirai	Browse	18.245.131.247
	O93vO719Sn.elf	Get hash	malicious	Unknown	Browse	34.210.194.197
	fwkeLXlthW.elf	Get hash	malicious	Unknown	Browse	3.195.201.246
	spQm3NLQtH.elf	Get hash	malicious	Unknown	Browse	44.244.213.162
	x1b5bmJgLm.elf	Get hash	malicious	Unknown	Browse	44.233.223.193
	3rU5FsjiS4.elf	Get hash	malicious	Unknown	Browse	3.15.224.238
	wx6NGH4iz5.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
RETN-ASEU	http://awhauchoa.net	Get hash	malicious	Unknown	Browse	139.45.197.243
	http://lougougauhi.xyz	Get hash	malicious	Unknown	Browse	139.45.197.244
	kdevtmpfsi	Get hash	malicious	Xmrig	Browse	176.113.81.186
	RrB2CY3rY4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	87.245.240.123
	http://ww1.streamm4u.ws	Get hash	malicious	Unknown	Browse	139.45.197.236
	file.exe	Get hash	malicious	Panda Stealer	Browse	109.94.208.20
	http://shortens.me	Get hash	malicious	Unknown	Browse	139.45.197.251
	Y2lhd5X9NB.exe	Get hash	malicious	Unknown	Browse	109.94.208.20
	http://boomba.club	Get hash	malicious	HtmlDropper	Browse	139.45.197.251
	DWoKcG581L.exe	Get hash	malicious	Tofsee	Browse	85.208.208.90
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.93
	file.exe	Get hash	malicious	LummaC	Browse	104.21.16.225
	ReturnLegend.exe	Get hash	malicious	Stealit	Browse	104.26.13.205
	launcher.jar	Get hash	malicious	Unknown	Browse	162.159.137.232
	launcher.jar	Get hash	malicious	Discord Token Stealer	Browse	162.159.136.232
	YLICY3GBmX.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.90.190
	GcOeQTPzrh.elf	Get hash	malicious	Unknown	Browse	104.26.190.2
	RDFchOT4i0.exe	Get hash	malicious	Unknown	Browse	172.67.181.9
	https://thehitchhouse.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nswC34E.tmp\INetC.dll	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Get hash	malicious	Unknown	Browse
	SenOg8gPgc.exe	Get hash	malicious	Unknown	Browse
	SenOg8gPgc.exe	Get hash	malicious	Unknown	Browse
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe	Get hash	malicious	Unknown	Browse
	Setup (1).exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\nscA9C6.tmp\liteFirewall.dll	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe	Get hash	malicious	Unknown	Browse
	SenOg8gPgc.exe	Get hash	malicious	Unknown	Browse
	SenOg8gPgc.exe	Get hash	malicious	Unknown	Browse
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\CEF\User Data\4684d7f9-6219-4dd2-875d-c6030fcb92af.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	529
Entropy (8bit):	5.718862721098567
Encrypted:	false
SSDEEP:	12:YKWSCuj9rrt+OC9ZWsikdIdXhnqVierj9ktCdsGacGT8UVkHyLFLFLc:YKWJu5rrtLC7dIlhWYvGacGIU+Yxxc
MD5:	C705387CC79045311CC9DA142F3E3BF4
SHA1:	F96CAEAB3B0340446F27D3B618F464947AD46950
SHA-256:	147019C1C0591ABDF5EF348F922EA7645F53F4BE561AC4CABD4D6C073E144622
SHA-512:	5056801E2C40A7BE552DD9B91DE998FAA35C2D2F635D29C00E318BBB707E2D379518ED051FB53CE5692875774F2206BDB6D14A877519511A2AD4B6BEB6F886C1
Malicious:	false
Preview:	{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAiu0hub3o2SbKwkjHr6cEnEAAAABIAAABDAGgAcgBvAG0AaQB1AG0AAAAQZgAAAAEAACAAAADBfuHDB73Wg/WCv9MFq4bel8abb8cWqCqDbP6IA2VNigAAAAAOgAAAAAIAACAAAABPwNC15hhqKNpb3zylvHF3LVv9oDPVyA8gnp2RwuWPoTAAAACd2v2DAYRrjWMbMcCmGGWkb1kF89TosY+5o4CikVdKQwLuUoNneTcFUXeveBCD9QFAAAAAzumyFvp3go6gx6QYjyEQsj4+ll0xo6EmIksqI+1YE1v08swDabd2nLKR/zjdRHZbDOOVs4K3FE+89/0eZW8yig=="},"profile_network_context_service":{"http_cache_finch_experiment_groups":"None None None None"}}

C:\Users\user\AppData\Local\CEF\User Data\LocalPrefs.json (copy)

Download File

Process:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	529
Entropy (8bit):	5.718862721098567
Encrypted:	false
SSDEEP:	12:YKWSCuj9rrt+OC9ZWsikdIdXhnqVierj9ktCdsGacGT8UVkHyLFLFLc:YKWJu5rrtLC7dIlhWYvGacGIU+Yxxc
MD5:	C705387CC79045311CC9DA142F3E3BF4
SHA1:	F96CAEAB3B0340446F27D3B618F464947AD46950
SHA-256:	147019C1C0591ABDF5EF348F922EA7645F53F4BE561AC4CABD4D6C073E144622
SHA-512:	5056801E2C40A7BE552DD9B91DE998FAA35C2D2F635D29C00E318BBB707E2D379518ED051FB53CE5692875774F2206BDB6D14A877519511A2AD4B6BEB6F886C1
Malicious:	false
Preview:	{"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAiu0hub3o2SbKwkjHr6cEnEAAAABIAAABDAGgAcgBvAG0AaQB1AG0AAAAQZgAAAAEAACAAAADBfuHDB73Wg/WCv9MFq4bel8abb8cWqCqDbP6IA2VNigAAAAAOgAAAAAIAACAAAABPwNC15hhqKNpb3zylvHF3LVv9oDPVyA8gnp2RwuWPoTAAAACd2v2DAYRrjWMbMcCmGGWkb1kF89TosY+5o4CikVdKQwLuUoNneTcFUXeveBCD9QFAAAAAzumyFvp3go6gx6QYjyEQsj4+ll0xo6EmIksqI+1YE1v08swDabd2nLKR/zjdRHZbDOOVs4K3FE+89/0eZW8yig=="},"profile_network_context_service":{"http_cache_finch_experiment_groups":"None None None None"}}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	107290516
Entropy (8bit):	7.999948017304014
Encrypted:	true
SSDEEP:	3145728:1GBIc4mTIyQh269GJ1bMWTGokO7WPeoOEnz1J829:e4RX9xsReeofnz1J8U
MD5:	83EE268A49F0D5FDF1B4A5C56788A0C0
SHA1:	BD58125A7B0D03E00A1677E48FFB9D78190E7B88
SHA-256:	AC6350EF86E32916EF30879CB755141F1650E039678B6BD8A2A6AFFDF85FA8F4
SHA-512:	A84F1844495A5E9383A258233003B339809FF6C2CE60DAE8FB75C1472EAAF54E0201A66D1A300372D1D5F92120210B4DFA744588AC9256835D7824F0B2F31AF6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 9%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nscA9C6.tmp\liteFirewall.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	6.389604568119155
Encrypted:	false
SSDEEP:	1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
MD5:	165E1EF5C79475E8C33D19A870E672D4
SHA1:	965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
SHA-256:	9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
SHA-512:	CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, Detection: malicious, Browse Filename: SenOg8gPgc.exe, Detection: malicious, Browse Filename: SenOg8gPgc.exe, Detection: malicious, Browse Filename: 8ubQTzsAqG.exe, Detection: malicious, Browse Filename: 8ubQTzsAqG.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv27F2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	358363994
Entropy (8bit):	6.9721502168311424
Encrypted:	false
SSDEEP:	3145728:0TzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSs0V97nN:0nUs4tvaVzTD9rN
MD5:	695A8F7352C3B64445BDBD714AAEC1E2
SHA1:	922C08231BEA0D9728B40893A9EA53679464D884
SHA-256:	7D5987A0CEAEA5148E91ED807F31F9806E4894B5350E75F6D4825905048FEC28
SHA-512:	EFCA20136D717BF9F524F1B729752C43257FC98A9D49D5EE7E2743A7242D890C2398BEEFF65A34C43251AE3DD778CF3E181ED2ED1C7E403E87BA1BF3BF081419
Malicious:	false
Preview:	........,.......................H...........................................................................................................................................................................................................................................................e...i...........~...j.......................3.......................................................................................................................t....V..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nswC34D.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe
File Type:	data
Category:	dropped
Size (bytes):	62997
Entropy (8bit):	5.472448149622667
Encrypted:	false
SSDEEP:	1536:shNkqY3Q4Oc//////Q0Laf3GojW/lX1Xb41:4u3Sc//////Q3f3GojW/XXy
MD5:	2467D6129E8D8171789D056BFCF39F4D
SHA1:	293A7950F4A5D8F4943AD4EDE623088F6121C45A
SHA-256:	AA4975F064326CF72E5256C10CD33E85E2956606829813697D742CCEEE67D1B8
SHA-512:	264CD524EC962F0DB3BD6EAADA2FB1FFE67260925255C5826A378F1DFBCA77A974D718D825199BCC840EF0A4B2AC58BA2B6771D6742E3AB0DAC6117D915F10BE
Malicious:	false
Preview:	.6......,...................\|...T/......+5.......6..............................................................................................................................................................................................................................................................j.......,.../...5.......3.......................................................................................................................N.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nswC34E.tmp\INetC.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.668346578219837
Encrypted:	false
SSDEEP:	384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
MD5:	92EC4DD8C0DDD8C4305AE1684AB65FB0
SHA1:	D850013D582A62E502942F0DD282CC0C29C4310E
SHA-256:	5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
SHA-512:	581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 1%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, Detection: malicious, Browse Filename: SenOg8gPgc.exe, Detection: malicious, Browse Filename: SenOg8gPgc.exe, Detection: malicious, Browse Filename: 8ubQTzsAqG.exe, Detection: malicious, Browse Filename: 8ubQTzsAqG.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe, Detection: malicious, Browse Filename: Setup (1).exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nswC34E.tmp\blowfish.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	6.674611218414922
Encrypted:	false
SSDEEP:	384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
MD5:	5AFD4A9B7E69E7C6E312B2CE4040394A
SHA1:	FBD07ADB3F02F866DC3A327A86B0F319D4A94502
SHA-256:	053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
SHA-512:	F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 4%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....\|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nswC34E.tmp\nsProcess.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	4.666004851298707
Encrypted:	false
SSDEEP:	48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
MD5:	FAA7F034B38E729A983965C04CC70FC1
SHA1:	DF8BDA55B498976EA47D25D8A77539B049DAB55E
SHA-256:	579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
SHA-512:	7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n\|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..\|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\setup.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	107290516
Entropy (8bit):	7.999948017304014
Encrypted:	true
SSDEEP:	3145728:1GBIc4mTIyQh269GJ1bMWTGokO7WPeoOEnz1J829:e4RX9xsReeofnz1J8U
MD5:	83EE268A49F0D5FDF1B4A5C56788A0C0
SHA1:	BD58125A7B0D03E00A1677E48FFB9D78190E7B88
SHA-256:	AC6350EF86E32916EF30879CB755141F1650E039678B6BD8A2A6AFFDF85FA8F4
SHA-512:	A84F1844495A5E9383A258233003B339809FF6C2CE60DAE8FB75C1472EAAF54E0201A66D1A300372D1D5F92120210B4DFA744588AC9256835D7824F0B2F31AF6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 9%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\DawnCache\data_0

Download File

Process:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\DawnCache\data_1

Download File

Process:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012096502606932763
Encrypted:	false
SSDEEP:	3:MsEllllkXl:/M/6
MD5:	259E7ED5FB3C6C90533B963DA5B2FC1B
SHA1:	DF90EABDA434CA50828ABB039B4F80B7F051EC77
SHA-256:	35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
SHA-512:	9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\DawnCache\data_2

Download File

Process:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\DawnCache\data_3

Download File

Process:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\DawnCache\index

Download File

Process:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlAN:Ls3A
MD5:	9E9A41780FC51235103AE3AA64C21448
SHA1:	C5B69188E752331FBCF3D32045DC74BA5DA83C79
SHA-256:	D7BC5E170DCB9E19AE76AE00E01FB878FBC797CA95B146AA479E4063C9359680
SHA-512:	F3AE2F649F37D3D05CE3955498CDD657D4C20C4DCBC63988A3D0A1355CF7BB3EA7DBEB525DF636155AB57B38C9FC24D7BFB59E97AC35236E5117DA43ECEBFA9A
Malicious:	false
Preview:	..........................................s..u/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\Del.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.622398838808078
Encrypted:	false
SSDEEP:	96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
MD5:	97D4D47D539CB8171BE2AEFD64C6EBB1
SHA1:	44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
SHA-256:	8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
SHA-512:	7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 7% Antivirus: Virustotal, Detection: 13%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....(........0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#......0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

C:\Users\user\AppData\Roaming\Pinball\GPUCache\data_0

Download File

Process:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\GPUCache\data_1

Download File

Process:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012096502606932763
Encrypted:	false
SSDEEP:	3:MsEllllkXl:/M/6
MD5:	259E7ED5FB3C6C90533B963DA5B2FC1B
SHA1:	DF90EABDA434CA50828ABB039B4F80B7F051EC77
SHA-256:	35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
SHA-512:	9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\GPUCache\data_2

Download File

Process:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\GPUCache\data_3

Download File

Process:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\GPUCache\index

Download File

Process:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlslR:Ls3s
MD5:	D82739D3E94E51F5C0629B1590044DF6
SHA1:	157CF6ED44445D3E00595D0E78B222C0B5F889F8
SHA-256:	DEC91C517E5AEF0C4BB596C002330C6E6188545B53EF0D1D65B4A1E7305F6CF9
SHA-512:	CE05B8C5E971003EA66A7ED3BD1ED3C8886168752BD42798AF00976219CE588DF147EE545696312A64CB27A57C369212AEAD2F18BD42118DDD36158F5BEA93BE
Malicious:	false
Preview:	..........................................p..u/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	462336
Entropy (8bit):	6.803831500359682
Encrypted:	false
SSDEEP:	6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
MD5:	6DED8FCBF5F1D9E422B327CA51625E24
SHA1:	8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
SHA-256:	3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
SHA-512:	BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(.......0..2........r...p(....}.......}"....(........(.........(......r...p(....}.......}"....(........(......0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...rr!..p.{.....{.....B...(....*..0..A........{..

C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	574376
Entropy (8bit):	5.8881470355864725
Encrypted:	false
SSDEEP:	12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
MD5:	8F81C9520104B730C25D90A9DD511148
SHA1:	7CF46CB81C3B51965C1F78762840EB5797594778
SHA-256:	F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
SHA-512:	B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D.....{F.......-.....0...........-.r...ps....z.o......-.~.....~....X...+....b..

C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	561424
Entropy (8bit):	4.606896607960262
Encrypted:	false
SSDEEP:	6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
MD5:	928ED37DB61C1E98A2831C8C01F6157C
SHA1:	98103C2133EBDA28BE78BFE3E2D81D41924A23EE
SHA-256:	39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
SHA-512:	F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
Malicious:	false
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	296448
Entropy (8bit):	5.660474224270683
Encrypted:	false
SSDEEP:	3072:xTpjcs9YPfVVHaqUlnhblNK/LL6LO7RlOgAw4OVzdvayfvYn6P:ppL9+9V6qEb06LO7RlH7zdyyq
MD5:	AF559066C28515850117F3C93146F67F
SHA1:	200AC6FA7972BA3018CAF81110FD86353712CE45
SHA-256:	BE3E7AC050B52C36C27D0952F6FAB0B61AE83993C52DF73CA72FCF35A48B0956
SHA-512:	246889D3899B439E01941DCBC7D774A14A6349246A24E3EB8952213A590F7C69EF4D71694A15AA0FF45EFA98D71BE13537D6219DA060A6AFD06C5EC96F7AB3C2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 11%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+f..............0.............>.... ........@.. ....................................@....................................O.......l............................................................................ ............... ..H............text...d.... ...................... ..`.rsrc...l...........................@..@.reloc..............................@..B................ .......H....... ...$...........D...p............................................(....s....Z..(....,...(....(.....(......(......(............~........0..W.......(....".....(......,..o....-...o.....+...( .....o....&..(!...-...........o"....."...BZ.......%..A.......0..Q.......(....(........,..o....-...o.....+...( .....o....&.._...(!...-...........o"..............!. A.......0..V.......(....(......,..o....-.~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	215868
Entropy (8bit):	5.849250731809078
Encrypted:	false
SSDEEP:	3072:rFi6z/VXzAf3oc8+vat7fvYnDAdOVz5kPI:rxFSI+y1qk6zuPI
MD5:	19465A2847A815EE6327B250B557717B
SHA1:	8222694DA1ECFBC4B1D836B52D96AA43767FDABC
SHA-256:	6049B5573430700AD8CBC4800FF210EDA1608914944B1C781D31CCFADEBBBC95
SHA-512:	5FD0AEB5E379CA67CB995B87E6F7F5F5DE04816CB8BFFE722F07A8D80C74C084F28419D8E08AB83FC585E4C2C11ED202E4CC7897FB1133CF9BF1CE40C1F7B966
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 3%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	875520
Entropy (8bit):	5.621956468920589
Encrypted:	false
SSDEEP:	12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
MD5:	B03C7F6072A0CB1A1D6A92EE7B82705A
SHA1:	6675839C5E266075E7E1812AD8E856A2468274DD
SHA-256:	F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
SHA-512:	19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(......(......(....^.(.......=...%...}....:.(......}....:.(......}....^.(.......>...%...}....:.(......}.....(.............0..,.......(....o.......3......... ....3.(....-.....0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..("..............+1...........4.......~.....~......(.....~....,..(#...-.(....-..(....+.r...ps$...z(..........b.r...p(%...~.....(....&*.r

C:\Users\user\AppData\Roaming\Pinball\cef.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1946739
Entropy (8bit):	7.989700491058983
Encrypted:	false
SSDEEP:	49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
MD5:	96AD47D78A70B33158961585D9154ECC
SHA1:	149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
SHA-256:	C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
SHA-512:	6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
Malicious:	false
Preview:	........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)\|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....)..........F....]....3....v........v...................$... ....!8..."....#....$....%*..

C:\Users\user\AppData\Roaming\Pinball\cef_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	214119
Entropy (8bit):	7.955451054538398
Encrypted:	false
SSDEEP:	6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
MD5:	391F512173ECEC14EB5CE31299858DE1
SHA1:	3A5A41A190C1FB682F9D9C84F500FF50308617FC
SHA-256:	E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
SHA-512:	44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
Malicious:	false
Preview:	........................#.b...&.....:.g....7.....7.....7.....7\|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.\|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U\|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

C:\Users\user\AppData\Roaming\Pinball\cef_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	290001
Entropy (8bit):	7.9670215100557735
Encrypted:	false
SSDEEP:	6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
MD5:	BF59A047984EAFC79E40B0011ED4116D
SHA1:	DF747125F31F3FF7E3DFE5849F701C3483B32C5E
SHA-256:	CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
SHA-512:	85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
Malicious:	false
Preview:	........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.\|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF\|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N....N.+...Nv,...N.-...N;r...N.\|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

C:\Users\user\AppData\Roaming\Pinball\cef_extensions.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1305142
Entropy (8bit):	7.99463351416358
Encrypted:	true
SSDEEP:	24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
MD5:	20DDA02AF522924E45223D7262D0E1ED
SHA1:	378E88033A7083AAC24E6CD2144F7BC706F00837
SHA-256:	8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
SHA-512:	E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
Malicious:	false
Preview:	........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..\|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

C:\Users\user\AppData\Roaming\Pinball\cef_sandbox.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	87182312
Entropy (8bit):	5.477474753748716
Encrypted:	false
SSDEEP:	196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
MD5:	FFD456A85E341D430AFA0C07C1068538
SHA1:	59394310B45F7B2B2882D55ADD9310C692C7144F
SHA-256:	F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
SHA-512:	EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
Malicious:	false
Preview:	!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

C:\Users\user\AppData\Roaming\Pinball\chrome_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	656926
Entropy (8bit):	7.964275415195004
Encrypted:	false
SSDEEP:	12288:fI3Hdjzgsz5B0GDJQrnKs8SNP+QSsSilRBdNze0Vc+gIXgt4z8oO0TehEr7:g397zEEmPLSOdNze05gUgmz8oO0TOW
MD5:	3404DD2B0E63D9418F755430336C7164
SHA1:	0D7D8540FDC056BB741D9BAF2DC7A931C517C471
SHA-256:	0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
SHA-512:	685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
Malicious:	false
Preview:	..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.\|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<\|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

C:\Users\user\AppData\Roaming\Pinball\chrome_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1017158
Entropy (8bit):	7.951759131641406
Encrypted:	false
SSDEEP:	24576:m3Tl5zLmmibkFR8+mZRUumegvQtc05UwvdAbatzk6edhOLoe9:m3Tl53mNbkFRJmHURhQW05JvdlzkjrOH
MD5:	3FBF52922588A52245DC927BCC36DBB3
SHA1:	EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
SHA-256:	C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
SHA-512:	682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
Malicious:	false
Preview:	..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@\|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

C:\Users\user\AppData\Roaming\Pinball\chrome_elf.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1174528
Entropy (8bit):	6.475826085865088
Encrypted:	false
SSDEEP:	24576:I3lp87thPKuxyj+tWF8lCwOvzr90p5OM3:FauY+tWF8b5OM3
MD5:	207AC4BE98A6A5A72BE027E0A9904462
SHA1:	D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
SHA-256:	2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
SHA-512:	BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2106216
Entropy (8bit):	6.4563314852745375
Encrypted:	false
SSDEEP:	49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
MD5:	1C9B45E87528B8BB8CFA884EA0099A85
SHA1:	98BE17E1D324790A5B206E1EA1CC4E64FBE21240
SHA-256:	2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
SHA-512:	B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4127200
Entropy (8bit):	6.577665867424953
Encrypted:	false
SSDEEP:	49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd
MD5:	3B4647BCB9FEB591C2C05D1A606ED988
SHA1:	B42C59F96FB069FD49009DFD94550A7764E6C97C
SHA-256:	35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
SHA-512:	00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\devtools_resources.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	2205743
Entropy (8bit):	7.923318114432295
Encrypted:	false
SSDEEP:	49152:qHlbrhXKMVp/DVegxF2Xe1WFG4F3KMWB7rwz3yY+23:qFnhXKwggr0cWEgaMi7rwrw23
MD5:	54D4E14BFF05C268248CAB2EEDFB61DD
SHA1:	33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
SHA-256:	2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
SHA-512:	5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
Malicious:	false
Preview:	........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[....[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\...>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

C:\Users\user\AppData\Roaming\Pinball\icudtl.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	10717392
Entropy (8bit):	6.282534560973548
Encrypted:	false
SSDEEP:	196608:hpgPBhORiuQwCliXUxbblHa93Whli6Z86WOH:n8wkDliXUxbblHa93Whli6Z8I
MD5:	E0F1AD85C0933ECCE2E003A2C59AE726
SHA1:	A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
SHA-256:	F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
SHA-512:	714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
Malicious:	false
Preview:	...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW..K..P...L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

C:\Users\user\AppData\Roaming\Pinball\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	377856
Entropy (8bit):	6.602916265542373
Encrypted:	false
SSDEEP:	6144:oJ4tr7XVkL/2qBCOeRMIKVpqtXmzKwdo23zqyU73omBT095OiZH:2NfBCOeR/KVpqtio23zqyOsOo
MD5:	8BC03B20348D4FEBE6AEDAA32AFBBF47
SHA1:	B1843C83808D9C8FBA32181CD3A033C66648C685
SHA-256:	CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
SHA-512:	3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............\|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6635008
Entropy (8bit):	6.832077162910607
Encrypted:	false
SSDEEP:	196608:HrmMLEFtac5bM68f8Oi3WjH13GzSW3430aTwQCe:a+ktad68f8Oi3oH13GztokaTwbe
MD5:	63988D35D7AB96823B5403BE3C110F7F
SHA1:	8CC4D3F4D2F1A2285535706961A26D02595AF55C
SHA-256:	E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
SHA-512:	D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\libcef.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	176517632
Entropy (8bit):	7.025874989859836
Encrypted:	false
SSDEEP:	1572864:VSuR7JVHywK/Sf1rWID4Pu2v8zgguHWJEqM90Hw4DclJkBLrWXmfnehuWNIPKtlL:MCYRNIPKYTFBhfmOS9KBaVz
MD5:	F5259CC7721CA2BCC8AC97B76B1D3C7A
SHA1:	C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
SHA-256:	3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
SHA-512:	2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.\|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..\|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\libcef.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	40258
Entropy (8bit):	4.547436244061504
Encrypted:	false
SSDEEP:
MD5:	310744A0E10BD9C2C6F50C525E4447F9
SHA1:	9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
SHA-256:	E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
SHA-512:	6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
Malicious:	false
Preview:	!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N\|..N\|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h..h..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

C:\Users\user\AppData\Roaming\Pinball\locales\af.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	470498
Entropy (8bit):	5.409080468053459
Encrypted:	false
SSDEEP:
MD5:	64F46DC20A140F2FA3D4677E7CD85DD1
SHA1:	5A4102E3E34C1360F833507A48E61DFD31707377
SHA-256:	BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
SHA-512:	F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
Malicious:	false
Preview:	........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.\|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

C:\Users\user\AppData\Roaming\Pinball\locales\am.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	763010
Entropy (8bit):	4.909167677028143
Encrypted:	false
SSDEEP:
MD5:	3B0D0F3EC195A0796A6E2FAB0C282BFB
SHA1:	6FCFCD102DE06A0095584A0186BD307AA49E49BD
SHA-256:	F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
SHA-512:	CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
Malicious:	false
Preview:	........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...\|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....\|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....\|...........$.............................1.....}.........................................Z.................\|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2....................+....",.....,

C:\Users\user\AppData\Roaming\Pinball\locales\ar.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	838413
Entropy (8bit):	4.920788245468804
Encrypted:	false
SSDEEP:
MD5:	C70B71B05A8CA5B8243C951B96D67453
SHA1:	DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
SHA-256:	5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
SHA-512:	E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.\|...w.....y.....z.....\|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).........z..............t+.....,....{,.....,....--

C:\Users\user\AppData\Roaming\Pinball\locales\bg.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	869469
Entropy (8bit):	4.677916300869337
Encrypted:	false
SSDEEP:
MD5:	12A9400F521EC1D3975257B2061F5790
SHA1:	100EA691E0C53B240C72EAEC15C84A686E808067
SHA-256:	B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
SHA-512:	31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
Malicious:	false
Preview:	........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

C:\Users\user\AppData\Roaming\Pinball\locales\bn.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1118348
Entropy (8bit):	4.2989199535081895
Encrypted:	false
SSDEEP:
MD5:	89A24AF99D5592AB8964B701F13E1706
SHA1:	2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
SHA-256:	5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
SHA-512:	60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
Malicious:	false
Preview:	........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).........6.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

C:\Users\user\AppData\Roaming\Pinball\locales\ca.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	537139
Entropy (8bit):	5.397688491907634
Encrypted:	false
SSDEEP:
MD5:	37B54705BD9620E69E7E9305CDFAC7AB
SHA1:	D9059289D5A4CAB287F1F877470605ED6BBDA2C8
SHA-256:	98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
SHA-512:	42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
Malicious:	false
Preview:	........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....\|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................\|...........".....>.

C:\Users\user\AppData\Roaming\Pinball\locales\cs.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	545011
Entropy (8bit):	5.844949195905198
Encrypted:	false
SSDEEP:
MD5:	65A2C2A73232AB1073E44E0FB6310A5F
SHA1:	F3158AA527538819C93F57E2C778198A94416C98
SHA-256:	E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
SHA-512:	20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
Malicious:	false
Preview:	.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....\|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................\|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

C:\Users\user\AppData\Roaming\Pinball\locales\da.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	496165
Entropy (8bit):	5.446061543230436
Encrypted:	false
SSDEEP:
MD5:	A44EC6AAA456A6129FD820CA75E968BE
SHA1:	9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
SHA-256:	F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
SHA-512:	947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
Malicious:	false
Preview:	........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}."........../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q..................................q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

C:\Users\user\AppData\Roaming\Pinball\locales\de.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	534726
Entropy (8bit):	5.49306456316532
Encrypted:	false
SSDEEP:
MD5:	49CA708EBB7A4913C36F7461F094886B
SHA1:	13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
SHA-256:	8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
SHA-512:	6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
Malicious:	false
Preview:	.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...\|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

C:\Users\user\AppData\Roaming\Pinball\locales\el.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	950999
Entropy (8bit):	4.76377388695373
Encrypted:	false
SSDEEP:
MD5:	9CBC320E39CFF7C29F61BD367C0BF3BB
SHA1:	2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
SHA-256:	E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
SHA-512:	F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
Malicious:	false
Preview:	........)$..e.H...h.P...i.X...j.b...k.q...l.\|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....\|&.....&.....'.....'....;(....t(.....(....M).....)....;....h....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

C:\Users\user\AppData\Roaming\Pinball\locales\en-GB.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	430665
Entropy (8bit):	5.517246002357965
Encrypted:	false
SSDEEP:
MD5:	0F1E2BC597771A8DB11D1D3AC59B84F3
SHA1:	C1F782C550AC733852C6BED9AD62AB79FC004049
SHA-256:	E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
SHA-512:	07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
Malicious:	false
Preview:	.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[............................V.....a................l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

C:\Users\user\AppData\Roaming\Pinball\locales\en-US.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	434598
Entropy (8bit):	5.509004494756697
Encrypted:	false
SSDEEP:
MD5:	FEAB603B4C7520CCFA84D48B243B1EC0
SHA1:	E04138F1C2928D8EECE6037025B4DA2995F13CB4
SHA-256:	C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
SHA-512:	E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...\|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

C:\Users\user\AppData\Roaming\Pinball\locales\es-419.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	524728
Entropy (8bit):	5.377464936206393
Encrypted:	false
SSDEEP:
MD5:	32A59B6D9C8CA99FBD77CAA2F586509A
SHA1:	7E8356D940D4D4CC2E673460483656915AA59893
SHA-256:	AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
SHA-512:	860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
Malicious:	false
Preview:	........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....\|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

C:\Users\user\AppData\Roaming\Pinball\locales\es.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	523181
Entropy (8bit):	5.356449408331279
Encrypted:	false
SSDEEP:
MD5:	3D1720FE1D801D54420438A54CBE1547
SHA1:	8B1B0735AE0E473858C59C54111697609831D65A
SHA-256:	AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
SHA-512:	C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
Malicious:	false
Preview:	........5$..e.`...h.h...i.p...j.\|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....\|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z................f.....{...........o.................g...........+.....P.................8.....N.................".....1......................@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

C:\Users\user\AppData\Roaming\Pinball\locales\et.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	475733
Entropy (8bit):	5.456553040437113
Encrypted:	false
SSDEEP:
MD5:	C00D66D3FD4FD9D777949E2F115F11FB
SHA1:	A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
SHA-256:	26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
SHA-512:	E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
Malicious:	false
Preview:	........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...\|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

C:\Users\user\AppData\Roaming\Pinball\locales\fa.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	773397
Entropy (8bit):	5.04618630633187
Encrypted:	false
SSDEEP:
MD5:	C998140F7970B81117B073A87430A748
SHA1:	8A6662C3AABDAC68083A4D00862205689008110C
SHA-256:	182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
SHA-512:	5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...\|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....\|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M....p.....*....n+.....+.....+....d,.....-....P-....x-

C:\Users\user\AppData\Roaming\Pinball\locales\fi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	483378
Entropy (8bit):	5.428549632880935
Encrypted:	false
SSDEEP:
MD5:	1CFD31A6B740D95E4D5D53432743EBF1
SHA1:	20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
SHA-256:	F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
SHA-512:	C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...\|.b...}.t.....\|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

C:\Users\user\AppData\Roaming\Pinball\locales\fil.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	546749
Entropy (8bit):	5.197094281578282
Encrypted:	false
SSDEEP:
MD5:	6EDA0CD3C7D513AAB9856EC504C7D16F
SHA1:	BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
SHA-256:	3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
SHA-512:	47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
Malicious:	false
Preview:	.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....\|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

C:\Users\user\AppData\Roaming\Pinball\locales\fr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	568277
Entropy (8bit):	5.380723339968972
Encrypted:	false
SSDEEP:
MD5:	D185162DF4CAC9DCE7D70926099D1CF1
SHA1:	46594ADB3FC06A090675CA48FFA943E299874BBD
SHA-256:	E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
SHA-512:	987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
Malicious:	false
Preview:	.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

C:\Users\user\AppData\Roaming\Pinball\locales\gu.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1103776
Entropy (8bit):	4.336526106451521
Encrypted:	false
SSDEEP:
MD5:	44F704DB17F0203FA5195DC4572C946C
SHA1:	205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
SHA-256:	4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
SHA-512:	3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
Malicious:	false
Preview:	........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...\|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....\|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....\|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....\|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....\|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

C:\Users\user\AppData\Roaming\Pinball\locales\he.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	681555
Entropy (8bit):	4.658620623200349
Encrypted:	false
SSDEEP:
MD5:	E75086A24ECAA25CD18D547AB041C65A
SHA1:	C88CE46E6321E4A21032308DFD72C272FB267DBD
SHA-256:	55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
SHA-512:	01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
Malicious:	false
Preview:	.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....\|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

C:\Users\user\AppData\Roaming\Pinball\locales\hi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1167065
Entropy (8bit):	4.308980564019689
Encrypted:	false
SSDEEP:
MD5:	1FF8A0B82218A956D2701A5E4BFA84EF
SHA1:	56BB8218963E14ADCC435F2455891F3A0453D053
SHA-256:	62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
SHA-512:	3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....\|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y..........}...........;........................................[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6..........*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

C:\Users\user\AppData\Roaming\Pinball\locales\hr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	526575
Entropy (8bit):	5.518614920030561
Encrypted:	false
SSDEEP:
MD5:	0BD2F9847C151F9A6FC0D59A0074770C
SHA1:	EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
SHA-256:	5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
SHA-512:	0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
Malicious:	false
Preview:	........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...\|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

C:\Users\user\AppData\Roaming\Pinball\locales\hu.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	566819
Entropy (8bit):	5.6387082185760935
Encrypted:	false
SSDEEP:
MD5:	4C27A1C79AB9A058C0A7DFFD22134AFD
SHA1:	5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
SHA-256:	AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
SHA-512:	0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
Malicious:	false
Preview:	.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.............................................".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

C:\Users\user\AppData\Roaming\Pinball\locales\id.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	466959
Entropy (8bit):	5.379636778781472
Encrypted:	false
SSDEEP:
MD5:	1466C484179769A2263542E943742E59
SHA1:	18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
SHA-256:	C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
SHA-512:	ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
Malicious:	false
Preview:	........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....\|.......................C.....b.....r...........1.....h.

C:\Users\user\AppData\Roaming\Pinball\locales\it.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	522800
Entropy (8bit):	5.284113957149261
Encrypted:	false
SSDEEP:
MD5:	7767A70358D0AE6D408FF979DF9B2CD4
SHA1:	9C57A5B068DC12AAF1591778DEF5D3696377EDAB
SHA-256:	672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
SHA-512:	913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
Malicious:	false
Preview:	........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2..................................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x..............................................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

C:\Users\user\AppData\Roaming\Pinball\locales\ja.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	634636
Entropy (8bit):	5.718480148171718
Encrypted:	false
SSDEEP:
MD5:	4A4AF69546DCF65F2D722A574E221BEA
SHA1:	EE51613F111CF5B06F5605B629952EFFE0350870
SHA-256:	7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
SHA-512:	0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
Malicious:	false
Preview:	........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...\|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U................d.....z....."................?...........X.................`.................@.................g............ ..... ..... .....

C:\Users\user\AppData\Roaming\Pinball\locales\kn.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1256908
Entropy (8bit):	4.247594585839553
Encrypted:	false
SSDEEP:
MD5:	6A41A5AB03A22BDAEC7985B9A75EC11A
SHA1:	6BB02DF557BD6522E02FE026C0243BEB9332B2E5
SHA-256:	E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
SHA-512:	BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
Malicious:	false
Preview:	........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...\|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[......................................................................u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N...............,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

C:\Users\user\AppData\Roaming\Pinball\locales\ko.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	532715
Entropy (8bit):	6.0824169765918725
Encrypted:	false
SSDEEP:
MD5:	5FD9942F57FFC499481947DB0C3FDFA7
SHA1:	4D60AB21305902877467FF6151C1B7AB12553AAE
SHA-256:	09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
SHA-512:	97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
Malicious:	false
Preview:	........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...\|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

C:\Users\user\AppData\Roaming\Pinball\locales\lt.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	573015
Entropy (8bit):	5.63016577624216
Encrypted:	false
SSDEEP:
MD5:	8745B87D09D9ECC1112C60F5DD934034
SHA1:	2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
SHA-256:	D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
SHA-512:	27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
Malicious:	false
Preview:	........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

C:\Users\user\AppData\Roaming\Pinball\locales\lv.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	570683
Entropy (8bit):	5.624052036286866
Encrypted:	false
SSDEEP:
MD5:	E16B0B814074ACBD3A72AF677AC7BE84
SHA1:	10744490B3E40BEB939B3FDCA411075A85A34794
SHA-256:	46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
SHA-512:	70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
Malicious:	false
Preview:	........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...\|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................\|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

C:\Users\user\AppData\Roaming\Pinball\locales\ml.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1307271
Entropy (8bit):	4.279854356980692
Encrypted:	false
SSDEEP:
MD5:	309E068B4E15157486D095301370B234
SHA1:	D962CDAF9361767045A928966F4323EAD22D9B37
SHA-256:	4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
SHA-512:	6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
Malicious:	false
Preview:	........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...\|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................\|............ ..... .....!.....!....".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....)..........*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....\|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

C:\Users\user\AppData\Roaming\Pinball\locales\mr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1075591
Entropy (8bit):	4.313573412022857
Encrypted:	false
SSDEEP:
MD5:	69C36C23D6D9841F4362FF3A0F86CFDF
SHA1:	C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
SHA-256:	6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
SHA-512:	8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
Malicious:	false
Preview:	.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).........y.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

C:\Users\user\AppData\Roaming\Pinball\locales\ms.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	489457
Entropy (8bit):	5.250540323172458
Encrypted:	false
SSDEEP:
MD5:	A1253E64F8910162B15B56883798E3C0
SHA1:	68D402D94D2145704DC3760914BF616CC71FC65D
SHA-256:	E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
SHA-512:	ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
Malicious:	false
Preview:	........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...\|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

C:\Users\user\AppData\Roaming\Pinball\locales\nb.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	476208
Entropy (8bit):	5.4272499712806965
Encrypted:	false
SSDEEP:
MD5:	622ED80836E0EF3F949ED8A379CBE6DF
SHA1:	9A94CD80E747B88582470EF49B7337B9E5DE6C28
SHA-256:	560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
SHA-512:	950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
Malicious:	false
Preview:	........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....\|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

C:\Users\user\AppData\Roaming\Pinball\locales\nl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	491139
Entropy (8bit):	5.362822162782947
Encrypted:	false
SSDEEP:
MD5:	C8378A81039DB6943F97286CC8C629F1
SHA1:	758D9AB331C394709F097361612C6D44BDE4E8FE
SHA-256:	318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
SHA-512:	6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
Malicious:	false
Preview:	.........$..e....h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................#..........1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................\|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

C:\Users\user\AppData\Roaming\Pinball\locales\pl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	550453
Entropy (8bit):	5.757462673735937
Encrypted:	false
SSDEEP:
MD5:	80C5893068C1D6CE9AEF23525ECAD83C
SHA1:	A2A7ADEE70503771483A2500786BF0D707B3DF6B
SHA-256:	0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
SHA-512:	3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
Malicious:	false
Preview:	........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

C:\Users\user\AppData\Roaming\Pinball\locales\pt-BR.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	516256
Entropy (8bit):	5.426294949123783
Encrypted:	false
SSDEEP:
MD5:	3BA426E91C34E1C33F13912974835F7D
SHA1:	467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
SHA-256:	CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
SHA-512:	824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
Malicious:	false
Preview:	........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...\|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

C:\Users\user\AppData\Roaming\Pinball\locales\pt-PT.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	518861
Entropy (8bit):	5.4029194034596575
Encrypted:	false
SSDEEP:
MD5:	4D7D724BE592BD0280ED28388EAA8D43
SHA1:	8E3C46B77639EB480A90AD27383FBB14C4176960
SHA-256:	4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
SHA-512:	D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
Malicious:	false
Preview:	........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...\|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....\|...........J.......

C:\Users\user\AppData\Roaming\Pinball\locales\ro.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	537125
Entropy (8bit):	5.4566742297332596
Encrypted:	false
SSDEEP:
MD5:	4F1C0A8632218F6FEF6BAB0917BEB84F
SHA1:	05E497C8525CB1ADE6A0DAEFE09370EC45176E35
SHA-256:	9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
SHA-512:	A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
Malicious:	false
Preview:	........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

C:\Users\user\AppData\Roaming\Pinball\locales\ru.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	878725
Entropy (8bit):	4.848685093578222
Encrypted:	false
SSDEEP:
MD5:	3A3D0D865A78399306924D3ED058274E
SHA1:	AA1A42DB6021666B2297A65094D29978792CE29B
SHA-256:	EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
SHA-512:	ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
Malicious:	false
Preview:	.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....\|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]..........+....$+.....+.....,.....-

C:\Users\user\AppData\Roaming\Pinball\locales\sk.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	553886
Entropy (8bit):	5.812150703289796
Encrypted:	false
SSDEEP:
MD5:	A9656846F66A36BB399B65F7B702B47D
SHA1:	4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
SHA-256:	02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
SHA-512:	7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
Malicious:	false
Preview:	........5$..e.`...h.h...i.\|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....\|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

C:\Users\user\AppData\Roaming\Pinball\locales\sl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	532410
Entropy (8bit):	5.486224954097277
Encrypted:	false
SSDEEP:
MD5:	BE49BB186EF62F55E27FF6B5FD5933F4
SHA1:	84CFD05C52A09B4E6FA62ADCAF71585538CF688E
SHA-256:	833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
SHA-512:	1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
Malicious:	false
Preview:	.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....\|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

C:\Users\user\AppData\Roaming\Pinball\locales\sr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	818089
Entropy (8bit):	4.779985663253385
Encrypted:	false
SSDEEP:
MD5:	AFA2DFBA3BD71FE0307BFFB647CDCD98
SHA1:	CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
SHA-256:	1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
SHA-512:	CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
Malicious:	false
Preview:	........=$\|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...\|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........\|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

C:\Users\user\AppData\Roaming\Pinball\locales\sv.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	479512
Entropy (8bit):	5.541069475898216
Encrypted:	false
SSDEEP:
MD5:	09592A0D35100CD9707C278C9FFC7618
SHA1:	B23EEF11D7521721A7D6742202209E4FE0539566
SHA-256:	9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
SHA-512:	E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
Malicious:	false
Preview:	.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.\|...t.....v.....w.....y.....z.....\|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................\|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

C:\Users\user\AppData\Roaming\Pinball\locales\sw.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	504856
Entropy (8bit):	5.34516819438501
Encrypted:	false
SSDEEP:
MD5:	9E038A0D222055FED6F1883992DCA5A8
SHA1:	8FA17648492D7F093F89E8E98BF29C3725E3B4B5
SHA-256:	DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
SHA-512:	FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
Malicious:	false
Preview:	........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

C:\Users\user\AppData\Roaming\Pinball\locales\ta.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1298313
Entropy (8bit):	4.058495187693592
Encrypted:	false
SSDEEP:
MD5:	36104CB0D5E26E0BBB313E529C14F4B4
SHA1:	69A509DEE8419DA719DCF6DE78BFE0A6737508C5
SHA-256:	DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
SHA-512:	D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
Malicious:	false
Preview:	.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4..........*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

C:\Users\user\AppData\Roaming\Pinball\locales\te.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1199612
Entropy (8bit):	4.314031920337284
Encrypted:	false
SSDEEP:
MD5:	98714389748A98ECC536CD2F17859BDF
SHA1:	07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
SHA-256:	8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
SHA-512:	38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
Malicious:	false
Preview:	........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...\|.]...}.o.....w.....\|.......................................................................X...........J...........\|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....$....k$.....%.....&....6'.....'.....(.....)........._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

C:\Users\user\AppData\Roaming\Pinball\locales\th.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1008989
Entropy (8bit):	4.356501290091745
Encrypted:	false
SSDEEP:
MD5:	56F29DE3465795E781A52FCF736BBE08
SHA1:	EAA406E5ED938468760A29D18C8C3F16CF142472
SHA-256:	529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
SHA-512:	519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
Malicious:	false
Preview:	........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...\|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....\|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....)...............+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

C:\Users\user\AppData\Roaming\Pinball\locales\tr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	515329
Entropy (8bit):	5.616482888977033
Encrypted:	false
SSDEEP:
MD5:	46CA9EE922C3C175DE466066F40B29CE
SHA1:	5563E236A15CD9CC44AE859165DF1E4E722936C7
SHA-256:	BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
SHA-512:	45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
Malicious:	false
Preview:	........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...\|.\|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

C:\Users\user\AppData\Roaming\Pinball\locales\uk.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	876131
Entropy (8bit):	4.88404350774067
Encrypted:	false
SSDEEP:
MD5:	1365ABDD1EFB44720EA3975E4A472530
SHA1:	8421FC4905C592EB1269C5D524AA46866D617D3C
SHA-256:	29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
SHA-512:	2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...\|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........\|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

C:\Users\user\AppData\Roaming\Pinball\locales\ur.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	765853
Entropy (8bit):	5.17061834928747
Encrypted:	false
SSDEEP:
MD5:	3FED15E64BEAFBA75DE61B08A45AE106
SHA1:	E24953271D8C0254AD011D3A65B2C2FA57903681
SHA-256:	B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
SHA-512:	3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
Malicious:	false
Preview:	........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....\|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s............................p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3..............]+.....+.....,....F,.....,....z-.....-

C:\Users\user\AppData\Roaming\Pinball\locales\vi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	609259
Entropy (8bit):	5.796202390024141
Encrypted:	false
SSDEEP:
MD5:	CD741C24AF7597E0DC11069D3AC324E0
SHA1:	2A883DFBCF48D5093D70D4B77BBFFFA521287334
SHA-256:	13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
SHA-512:	6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r....s.;...t.D...v.Y...w.f...y.l...z.{...\|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._..................................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

C:\Users\user\AppData\Roaming\Pinball\locales\zh-CN.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	441207
Entropy (8bit):	6.685712707138377
Encrypted:	false
SSDEEP:
MD5:	99E6ACFB46923C4F8B29058E9EE6166B
SHA1:	AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
SHA-256:	9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
SHA-512:	4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
Malicious:	false
Preview:	.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....\|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................\|.......................x.

C:\Users\user\AppData\Roaming\Pinball\locales\zh-TW.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	439630
Entropy (8bit):	6.6906570508767995
Encrypted:	false
SSDEEP:
MD5:	BB7C995F257B9125457381BB01856D72
SHA1:	21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
SHA-256:	F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
SHA-512:	5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
Malicious:	false
Preview:	.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....\|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

C:\Users\user\AppData\Roaming\Pinball\log4net.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	275968
Entropy (8bit):	5.778490068583466
Encrypted:	false
SSDEEP:
MD5:	7EA1429E71D83A1CCAA0942C4D7F1C41
SHA1:	4CE6ACF4D735354B98F416B3D94D89AF0611E563
SHA-256:	EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
SHA-512:	91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>....?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}.......0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4.............//........{...."..}......{........0..4..........%...(5....-.~....r?..p(....+...}.......,..(6............')........{......{...."..}.......{...."..}....*.0..........

C:\Users\user\AppData\Roaming\Pinball\log4net.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1547797
Entropy (8bit):	4.370092880615517
Encrypted:	false
SSDEEP:
MD5:	32AB4E0A9A82245EE3B474EF811F558F
SHA1:	9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
SHA-256:	9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
SHA-512:	A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
Malicious:	false
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

C:\Users\user\AppData\Roaming\Pinball\natives_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	342741
Entropy (8bit):	5.496697631795104
Encrypted:	false
SSDEEP:
MD5:	A58DB728B50E6B82CBDCAA0DB61D36B1
SHA1:	7CD76526CB29A0FF5350A2B52D48D1886360458B
SHA-256:	BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
SHA-512:	0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
Malicious:	false
Preview:	..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

C:\Users\user\AppData\Roaming\Pinball\resources.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	8226870
Entropy (8bit):	7.996842728494533
Encrypted:	true
SSDEEP:
MD5:	F7EC58AEA756F3FD8A055AC582103A78
SHA1:	086B63691F5E5375A537E99E062345F56512A22C
SHA-256:	517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
SHA-512:	C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
Malicious:	false
Preview:	............f.6:..{..D..\|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.\|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

C:\Users\user\AppData\Roaming\Pinball\snapshot_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	276319
Entropy (8bit):	4.242318669799302
Encrypted:	false
SSDEEP:
MD5:	8234983533FA47D2A1D7710FF8274299
SHA1:	E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
SHA-256:	F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
SHA-512:	1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
Malicious:	false
Preview:	.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\start.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	4.132944044980959
Encrypted:	false
SSDEEP:
MD5:	C3EE711FEDF7ADE54C6A377569E0C3C1
SHA1:	B7E38A9253C19D1CB5118CE7B91D1DFFCF0E454D
SHA-256:	CD893CFB5666B2C00F776E60F1EE6E269822E3EDEB59FBA3B3B42AD8F3FB3C74
SHA-512:	CEE26E12D77F69A304FC6FCC9220031A045CDCD11BAE0384FA38FC5921F759287BEC84AA69CD4CAA191D5C1C186374B8425F0895B1D98C83D2BC2F482010AABB
Malicious:	false
Preview:	start Pinball.exe eKCwUZdx

C:\Users\user\AppData\Roaming\Pinball\swiftshader\Xilium.CefGlue.pdb

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	MSVC program database ver 7.00, 512*4023 bytes
Category:	dropped
Size (bytes):	2059776
Entropy (8bit):	4.067542396670122
Encrypted:	false
SSDEEP:
MD5:	70F9EAEA8A2A604E59F72EDE66F83AB4
SHA1:	0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
SHA-256:	38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
SHA-512:	47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
Malicious:	false
Preview:	Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\swiftshader\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346624
Entropy (8bit):	6.54104466243173
Encrypted:	false
SSDEEP:
MD5:	7A53AD3E5D2E65C982450E7B7453DE8A
SHA1:	99F27E54F1F61207C02110CAC476405557A8AD54
SHA-256:	24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
SHA-512:	2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\swiftshader\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2445312
Entropy (8bit):	6.750207745422387
Encrypted:	false
SSDEEP:
MD5:	334C3157E63A34B22CCE25A44A04835F
SHA1:	C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
SHA-256:	3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
SHA-512:	11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\v8_context_snapshot.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	631017
Entropy (8bit):	5.144793130466209
Encrypted:	false
SSDEEP:
MD5:	0794DF29DF8DFC3ECE5C443F864F5AEB
SHA1:	BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
SHA-256:	3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
SHA-512:	0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
Malicious:	false
Preview:	..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4400640
Entropy (8bit):	6.667314807988382
Encrypted:	false
SSDEEP:
MD5:	7F913E31D00082338F073EF60D67B335
SHA1:	AC831B45F2A32E23BA9046044508E47E04CDA3A4
SHA-256:	B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
SHA-512:	E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader_icd.json

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.724752649036734
Encrypted:	false
SSDEEP:
MD5:	8642DD3A87E2DE6E991FAE08458E302B
SHA1:	9C06735C31CEC00600FD763A92F8112D085BD12A
SHA-256:	32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
SHA-512:	F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
Malicious:	false
Preview:	{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

C:\Users\user\AppData\Roaming\Pinball\vulkan-1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	826368
Entropy (8bit):	6.78646032943732
Encrypted:	false
SSDEEP:
MD5:	A031EB19C61942A26EF74500AD4B42DF
SHA1:	FDC6EA473234F153639E963E8EFB8D028DA1BE20
SHA-256:	207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
SHA-512:	80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....\|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......\|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Pinball\widevinecdmadapter.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211456
Entropy (8bit):	6.566524833521835
Encrypted:	false
SSDEEP:
MD5:	6D7FD214164C858BBCF4AA050C114E8C
SHA1:	B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
SHA-256:	3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
SHA-512:	0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.053719053321012
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe
File size:	243'980 bytes
MD5:	f44bcedfb71262dd1484bcbb63122ba5
SHA1:	b528fc9a7053622bb1495a2d985dc72ef433417c
SHA256:	ac8d45e6a98571d5d6c67f7b60cfdc84e2838f20d815d29e7a229539ab89c468
SHA512:	d85b13c478dbced1fedffaa29701566afe2bbce53821983d6b29588f037bd00c6cf4b92c12bb23aa431d76b4000ab92d7f6e5527b57f8617860b4a4b7d2a579a
SSDEEP:	3072:rdwWsF1XDWLAlcqva7fvYnS4OVzX+V4V2h0:rPs/7y7qAzOV4V2h0
TLSH:	77340E69D93B4810D4B099FD273363C01AED9D136B2DEA274291BE7269FDBC22E47103
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L...w.Oa.................h...\|.......4............@

File Icon


Icon Hash:	176dccb4cccc6907

Static PE Info

General

Entrypoint:	0x4034f1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B77 [Sat Sep 25 21:58:15 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f10e4da994053bf80c20cee985b32e29

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000220h
push esi
push edi
xor edi, edi
push 00008001h
mov dword ptr [ebp-10h], edi
mov dword ptr [ebp-04h], 0040A130h
mov dword ptr [ebp-08h], edi
mov byte ptr [ebp-0Ch], 00000020h
call dword ptr [004080B0h]
mov esi, dword ptr [004080C0h]
lea eax, dword ptr [ebp-000000C0h]
push eax
mov dword ptr [ebp-000000ACh], edi
mov dword ptr [ebp-2Ch], edi
mov dword ptr [ebp-28h], edi
mov dword ptr [ebp-000000C0h], 0000009Ch
call esi
test eax, eax
jne 00007FEC486AC021h
lea eax, dword ptr [ebp-000000C0h]
mov dword ptr [ebp-000000C0h], 00000094h
push eax
call esi
cmp dword ptr [ebp-000000B0h], 02h
jne 00007FEC486AC00Ch
movsx cx, byte ptr [ebp-0000009Fh]
mov al, byte ptr [ebp-000000ACh]
sub ecx, 30h
sub al, 53h
mov byte ptr [ebp-26h], 00000004h
neg al
sbb eax, eax
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-000000B0h], 02h
jnc 00007FEC486AC004h
and byte ptr [ebp-26h], 00000000h
cmp byte ptr [ebp-000000ABh], 00000041h
jl 00007FEC486ABFF3h
movsx ax, byte ptr [ebp-000000ABh]
sub eax, 40h
mov word ptr [ebp-2Ch], ax
jmp 00007FEC486ABFE6h
mov word ptr [ebp-2Ch], di
cmp dword ptr [ebp-000000BCh], 0Ah
jnc 00007FEC486ABFEAh
and word ptr [ebp+00000000h], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x40000	0x2bc18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6710	0x6800	ce5ea12d8928af396fab397be4d86e7b	False	0.6721379206730769	data	6.457647337216819	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1382	0x1400	bc5ab97ffda7e39e35bf0c1f7a27854b	False	0.4630859375	data	5.260451498562911	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25558	0x600	a4d50f221ae2d23d0280180871dbcfc8	False	0.4680989583333333	data	4.219370823365332	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x40000	0x2bc18	0x2be00	526ac03e544c740fe8e3835db7eb43c0	False	0.22805377492877493	data	5.240181650722112	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x40310	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.10537678930557198
RT_ICON	0x50b38	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.15818793357157873
RT_ICON	0x59fe0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.18613678373382625
RT_ICON	0x5f468	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.17465753424657535
RT_ICON	0x63690	0x38a6	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9899324231140533
RT_ICON	0x66f38	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.2408713692946058
RT_ICON	0x694e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.2718105065666041
RT_ICON	0x6a588	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.3737704918032787
RT_ICON	0x6af10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.425531914893617
RT_DIALOG	0x6b378	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x6b580	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x6b678	0xee	data	English	United States	0.6302521008403361
RT_GROUP_ICON	0x6b768	0x84	data	English	United States	0.7348484848484849
RT_MANIFEST	0x6b7f0	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, SetWindowPos, SetCursor, GetSysColor, SetClassLongA, GetWindowLongA, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersionExA, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	14:43:31
Start date:	27/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"
Imagebase:	0x400000
File size:	243'980 bytes
MD5 hash:	F44BCEDFB71262DD1484BCBB63122BA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:43:54
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\setup.exe"
Imagebase:	0x400000
File size:	107'290'516 bytes
MD5 hash:	83EE268A49F0D5FDF1B4A5C56788A0C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 3%, ReversingLabs Detection: 9%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:44:30
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Imagebase:	0xab0000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 3%, ReversingLabs Detection: 11%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:44:34
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=2952 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Imagebase:	0xb60000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	14:44:34
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3188 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Imagebase:	0xc70000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:44:34
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3268 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Imagebase:	0x200000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:44:34
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4045911343 --mojo-platform-channel-handle=3580 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0xa50000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:44:34
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4045972981 --mojo-platform-channel-handle=3624 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0xf10000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:44:41
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4052668776 --mojo-platform-channel-handle=4388 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0x9d0000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:44:41
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4052757136 --mojo-platform-channel-handle=4392 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0x710000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:44:43
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x7f0000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	14:44:45
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4056196846 --mojo-platform-channel-handle=4504 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0xcb0000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:44:45
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4056264728 --mojo-platform-channel-handle=4348 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0xbc0000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:44:46
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x2c0000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	14:44:47
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4057464444 --mojo-platform-channel-handle=4036 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0xb30000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	14:44:48
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xc50000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	14:44:48
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x430000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	14:44:49
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x870000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	14:44:49
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xb00000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	14:44:49
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x950000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	14:44:50
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x760000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	14:44:50
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; U; Android 14; SM-A536E Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/117.0.0.0 Mobile Safari/537.36 OPR/76.0.2254.69201" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --time-ticks-at-unix-epoch=-1714217828852267 --launch-time-ticks=4061594367 --mojo-platform-channel-handle=4628 --field-trial-handle=2944,i,714745183751366898,1750058734121012117,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0x330000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	14:44:50
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xe50000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	14:44:50
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x680000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	14:44:52
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x5b0000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	14:44:54
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x920000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	14:44:54
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xa0000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	14:44:57
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x510000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	14:44:57
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xdb0000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	14:44:58
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xb00000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	14:44:58
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x3c0000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	14:44:59
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x420000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	14:44:59
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xd80000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	14:44:59
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0x720000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	14:44:59
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Imagebase:	0xc20000
File size:	296'448 bytes
MD5 hash:	AF559066C28515850117F3C93146F67F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.8%
Total number of Nodes:	1331
Total number of Limit Nodes:	32

Executed Functions

Function 004034F1 Relevance: 96.7, APIs: 34, Strings: 21, Instructions: 417
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008001), ref: 00403514
GetVersionExA.KERNEL32(?), ref: 0040353D
GetVersionExA.KERNEL32(0000009C), ref: 00403554
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040361D
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040365A
OleInitialize.OLE32(00000000), ref: 00403661
SHGetFileInfoA.SHELL32(00429878,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040367F
GetCommandLineA.KERNEL32(Setup Pinball 22,NSIS Error,?,00000007,00000009,0000000B), ref: 00403694
CharNextA.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",00000000,?,00000007,00000009,0000000B), ref: 004036CE
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037C7
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037D8
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037E4
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037F8
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403800
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403811
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403819
DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 0040382D
ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038D3
OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038D8
ExitProcess.KERNEL32 ref: 004038F9
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",00000000,?,?,00000007,00000009,0000000B), ref: 0040390C
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",00000000,?,?,00000007,00000009,0000000B), ref: 0040391B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403926
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403932
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040394E
DeleteFileA.KERNEL32(00429478,00429478,?,00430000,?,?,00000007,00000009,0000000B), ref: 004039AB
CopyFileA.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe,00429478,00000001), ref: 004039C0
CloseHandle.KERNEL32(00000000,00429478,00429478,?,00429478,00000000,?,00000007,00000009,0000000B), ref: 004039ED
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 00403A1B
OpenProcessToken.ADVAPI32(00000000), ref: 00403A22
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A36
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A55
ExitWindowsEx.USER32(00000002,80040002), ref: 00403A7A
ExitProcess.KERNEL32 ref: 00403A9B

Strings

C:\Users\user\AppData\Roaming\Pinball, xrefs: 004037AC, 004038AB, 00403954, 0040395E
.tmp, xrefs: 00403920
UXTHEME, xrefs: 00403611, 00403616, 0040361C
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403506
1033, xrefs: 00403828
", xrefs: 004036F1
~nsu, xrefs: 00403904
Error launching installer, xrefs: 00403891
C:\Users\user\AppData\Local\Temp\, xrefs: 004037BC, 004037C1, 004037D7, 004037E3, 004037F2, 004037FF, 0040380B, 00403813, 00403909, 0040391A, 00403925, 00403931, 0040393E, 0040394D, 00403A02
C:\Users\user\AppData\Roaming\Pinball\update, xrefs: 004038B6
C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, xrefs: 004039BB
TEMP, xrefs: 0040380C
Low, xrefs: 004037FA
TMP, xrefs: 00403814
C:\Users\user\Desktop, xrefs: 0040392B, 00403930, 0040395D
"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe", xrefs: 0040369A, 004036A0, 0040384F
NSIS Error, xrefs: 00403685
SeShutdownPrivilege, xrefs: 00403A30
Setup Pinball 22, xrefs: 0040368A
A, xrefs: 0040358F
\Temp, xrefs: 004037DE

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "$"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball\update$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$Setup Pinball 22$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2882342585-2654808695
Opcode ID: 81fd53c31f629a5d9fc5bfd721c55a9fc960827f33750ddf9d0d7531c1fac7e3
Instruction ID: e98e4a5fe24b7fbee69c2a6f36de3ff31cd048084844d0745fc1e9075a3efd0a
Opcode Fuzzy Hash: 81fd53c31f629a5d9fc5bfd721c55a9fc960827f33750ddf9d0d7531c1fac7e3
Instruction Fuzzy Hash: 9DE11470900254AADB21AF759D49B6F7EB89F4670AF0480BFF541B61D2C7BC4A05CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405B6F Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"), ref: 00405B98
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nswC34E.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nswC34E.tmp\*.*,?,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"), ref: 00405BE0
lstrcatA.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nswC34E.tmp\*.*,?,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"), ref: 00405C01
lstrlenA.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nswC34E.tmp\*.*,?,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"), ref: 00405C07
FindFirstFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nswC34E.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nswC34E.tmp\*.*,?,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"), ref: 00405C18
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CC5
FindClose.KERNEL32(00000000), ref: 00405CD6

Strings

"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe", xrefs: 00405B78
\*.*, xrefs: 00405BDA
C:\Users\user\AppData\Local\Temp\nswC34E.tmp\*.*, xrefs: 00405BC8, 00405BCE, 00405BDF, 00405C15

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"$C:\Users\user\AppData\Local\Temp\nswC34E.tmp\*.*$\*.*
API String ID: 2035342205-2059394723
Opcode ID: faded9c196cd74838ca1e91bb8710b4837c88517674c147a6894f7a7db6857f4
Instruction ID: 4718808f158ea52fcca0691a24e1ebca9c7702a3109b9de6f7b9021a1af4e111
Opcode Fuzzy Hash: faded9c196cd74838ca1e91bb8710b4837c88517674c147a6894f7a7db6857f4
Instruction Fuzzy Hash: 3C51B130809B04AAEB226B218D49BAF7A78DF52718F14813BF845751D1C77C9982DEAD

Uniqueness

Uniqueness Score: -1.00%

Function 00406724 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(74DF3410,0042C108,C:\,00405E70,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B8F,?,74DF3410,74DF2EE0), ref: 0040672F
FindClose.KERNEL32(00000000), ref: 0040673B

Strings

C:\, xrefs: 00406724

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
Instruction ID: c9c9a12bc8b774ad06f6f9f90ff499a93993566126ae4f8ffc97a4986822620a
Opcode Fuzzy Hash: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
Instruction Fuzzy Hash: 62D012715081309BD3405B386D4C85B7A58AF153353618A36F866F22E0D7348C228698

Uniqueness

Uniqueness Score: -1.00%

Function 00403B93 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004067B9: GetModuleHandleA.KERNEL32(?,00000000,?,00403633,0000000B), ref: 004067CB
Part of subcall function 004067B9: GetProcAddress.KERNEL32(00000000,?), ref: 004067E6

lstrcatA.KERNEL32(1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",00000009,0000000B), ref: 00403C0E
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,?,?,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,C:\Users\user\AppData\Roaming\Pinball,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,74DF3410), ref: 00403C83
lstrcmpiA.KERNEL32(?,.exe), ref: 00403C96
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",00000009,0000000B), ref: 00403CA1
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Pinball), ref: 00403CEA

Part of subcall function 0040630B: wsprintfA.USER32 ref: 00406318

RegisterClassA.USER32(0042EBE0), ref: 00403D27
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D3F
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D74
ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",00000009,0000000B), ref: 00403DAA
GetClassInfoA.USER32(00000000,RichEdit20A,0042EBE0), ref: 00403DD6
GetClassInfoA.USER32(00000000,RichEdit,0042EBE0), ref: 00403DE3
RegisterClassA.USER32(0042EBE0), ref: 00403DEC
DialogBoxParamA.USER32(?,00000000,00403F30,00000000), ref: 00403E0B

Strings

C:\Users\user\AppData\Roaming\Pinball, xrefs: 00403C1D, 00403C25, 00403CBD, 00403CC3, 00403CD3
RichEdit, xrefs: 00403DDD
1033, xrefs: 00403BB3, 00403C09
_Nb, xrefs: 00403D06, 00403D6E
C:\Users\user\AppData\Local\Temp\, xrefs: 00403B98
RichEd20, xrefs: 00403DB0
RichEdit20A, xrefs: 00403DCE, 00403DD4
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00403C51, 00403C59, 00403C66, 00403CB0, 00403CB6
B, xrefs: 00403CF9
"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe", xrefs: 00403B96
.exe, xrefs: 00403C90
.DEFAULT\Control Panel\International, xrefs: 00403BF9
Control Panel\Desktop\ResourceLocale, xrefs: 00403BC7
RichEd32, xrefs: 00403DBE

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Pinball$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$B
API String ID: 1975747703-2175739715
Opcode ID: c630cd98a2914be9174b26e2e738905288855d424b9324edbec4349d293c1a18
Instruction ID: d89710434fc60f72bff50dd0b8e8498b1a5d6f9b4449ddb9e8b665c251f4a15f
Opcode Fuzzy Hash: c630cd98a2914be9174b26e2e738905288855d424b9324edbec4349d293c1a18
Instruction Fuzzy Hash: 3F61E4702042016EE620BF669D46F373A6CEB44B4DF40443FF941B22E2CB7CA9168A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F70
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe,00000400), ref: 00402F8C

Part of subcall function 00405F40: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe,80000000,00000003), ref: 00405F44
Part of subcall function 00405F40: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F66

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe,C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe,80000000,00000003), ref: 00402FD5
GlobalAlloc.KERNEL32(00000040,00000009), ref: 0040311A

Strings

C:\Users\user\Desktop, xrefs: 00402FB7, 00402FBC, 00402FC2
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031D5
"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe", xrefs: 00402F65
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403187
Null, xrefs: 00403055
Inst, xrefs: 00403043
Error launching installer, xrefs: 00402FAC
soft, xrefs: 0040304C
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040313A
C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1792106362
Opcode ID: 2005f208a2339c59ab43fef2da7853fb62fc6b40e03fcb6696291913a7135b04
Instruction ID: c3dda028fec246d51fc2d1f070f96728b3bff22ba0095c66adda34c0f2e45969
Opcode Fuzzy Hash: 2005f208a2339c59ab43fef2da7853fb62fc6b40e03fcb6696291913a7135b04
Instruction Fuzzy Hash: F971D271A00208ABDB21AF64DE45B9A7BBCEB14319F50403BF505BB2D1D77CAE458B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00406440 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 0040656E
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,00000400,?,0042A098,00000000,00405506,0042A098,00000000), ref: 00406581
SHGetSpecialFolderLocation.SHELL32(00405506,00000000,?,0042A098,00000000,00405506,0042A098,00000000), ref: 004065BD
SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 004065CB
CoTaskMemFree.OLE32(00000000), ref: 004065D7
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065FB
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,0042A098,00000000,00405506,0042A098,00000000,00000000,00000000,00000000), ref: 0040664D

Strings

C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 0040646A, 0040653A, 0040653B, 0040653C, 00406558, 0040656D, 00406580, 0040659C, 004065C7, 004065FA, 00406600, 00406618, 0040662B, 00406646, 0040664C, 00406654, 0040667E
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040653D
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065F5

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\setup.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2918284280
Opcode ID: 38398d6ecce7c9880a138569f5858357a9108e76e203ad91a2b6340bc4305649
Instruction ID: 268467668beee15eea63ad286a81141898b18a339a36d3837aab5ec1b06c59ca
Opcode Fuzzy Hash: 38398d6ecce7c9880a138569f5858357a9108e76e203ad91a2b6340bc4305649
Instruction Fuzzy Hash: 13610470900100AEEF215F34ED90B7E3BA4AB15718F52413FE943BA2D1D27E8962CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\Pinball\update,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\Pinball\update,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 004063AD: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,00403694,Setup Pinball 22,NSIS Error,?,00000007,00000009,0000000B), ref: 004063BA

Part of subcall function 004054CE: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
Part of subcall function 004054CE: lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
Part of subcall function 004054CE: lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
Part of subcall function 004054CE: SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
Part of subcall function 004054CE: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A

Strings

C:\Users\user\AppData\Local\Temp\nswC34E.tmp\INetC.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Roaming\Pinball\update, xrefs: 00401786

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nswC34E.tmp\INetC.dll$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Pinball\update
API String ID: 1941528284-3464775192
Opcode ID: cacce34dfe87c937726664b238e8662d685e89b268f2d0ef46f5665a7110999c
Instruction ID: d74f000fe0db08ada4b1866606914215aeb9a6e76c7c3683a032828096269754
Opcode Fuzzy Hash: cacce34dfe87c937726664b238e8662d685e89b268f2d0ef46f5665a7110999c
Instruction Fuzzy Hash: 4041C731910515BACF107BB5CD45EAF3678EF05328B20833BF422F20E1D67C89529A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040332A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040333E

Part of subcall function 004034A9: SetFilePointer.KERNEL32(00000000,00000000,00000000,004031A9,?), ref: 004034B7

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,00403254,00000004,00000000,00000000,0000000B,?,004031D0,000000FF,00000000,00000000,00000009,?), ref: 00403371
SetFilePointer.KERNEL32(?,00000000,00000000,LB,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,00403254,00000004,00000000,00000000,0000000B,?,004031D0,000000FF), ref: 0040346C

Strings

LB, xrefs: 004033B8, 004033F5
o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 0040339E, 004033A4
`TA, xrefs: 00403383

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: LB$`TA$o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 1092082344-429706044
Opcode ID: 56010228795e1ad0e08db069a67fb83c8d86121d496d992e286645f0c7fdccb7
Instruction ID: c44045edb95023ba3cca2d031d7db8c7ecb953bf7021e17233d88aac787edfad
Opcode Fuzzy Hash: 56010228795e1ad0e08db069a67fb83c8d86121d496d992e286645f0c7fdccb7
Instruction Fuzzy Hash: 143181726042059FDB21BF29EE849673BACEB41359B58423BE805B62F0C7785D42CF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405994 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059D7
GetLastError.KERNEL32 ref: 004059EB
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405A00
GetLastError.KERNEL32 ref: 00405A0A

Strings

F9@, xrefs: 004059A9
C:\Users\user\AppData\Local\Temp\, xrefs: 004059BA

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$F9@
API String ID: 3449924974-1489804506
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: 0e1db3289ec5df6a0f35b562325bf2216b146a324eccc31de4c45bc136cfaec7
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 220108B1D04219DADF109BA0C944BEFBBB8EB04354F00413ADA44B6290D7799648CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040674B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406762
wsprintfA.USER32 ref: 0040679B
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004067AF

Strings

UXTHEME, xrefs: 00406754
%s%s.dll, xrefs: 00406795
\, xrefs: 00406773

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 3863f05650aab447081eb6fa423b6430e02618d36ffe312384f2529087dcf063
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: 36F0217094021A6BDB149774DD0DFFB375CBB08308F14007AA58AF20C1DA78D9358B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F6F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F83
GetTempFileNameA.KERNEL32(0000000B,?,00000000,?,?,004034EF,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007), ref: 00405F9D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F72
nsa, xrefs: 00405F7A

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: c81afa6165f68c23ab33ae750d9da6b6d4b0ed7f5f6f860b32f83f713540d6b5
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: DEF082363042087BDB108F55ED44B9B7B9DDF91750F14C03BFA44DA180D6B499988799

Uniqueness

Uniqueness Score: -1.00%

Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D0

Part of subcall function 004054CE: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
Part of subcall function 004054CE: lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
Part of subcall function 004054CE: lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
Part of subcall function 004054CE: SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
Part of subcall function 004054CE: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E0
GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 8f54d1db7107121c79eeabdd4d3ff93457635344b973460777cc98a7737a160d
Instruction ID: d5d8e73b2f819034d4a36da7431b6ab1c2b370ec15cffcebf3853f7809143cb5
Opcode Fuzzy Hash: 8f54d1db7107121c79eeabdd4d3ff93457635344b973460777cc98a7737a160d
Instruction Fuzzy Hash: CE21C931904215A7CF207F648E4DA9F3A706F44358F64413FF601B61D1DBBD49819A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00403AA1 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038D8,?,?,00000007,00000009,0000000B), ref: 00403AB3
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038D8,?,?,00000007,00000009,0000000B), ref: 00403AC7

Strings

C:\Users\user\AppData\Local\Temp\nswC34E.tmp\, xrefs: 00403AD7
C:\Users\user\AppData\Local\Temp\, xrefs: 00403AA6

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nswC34E.tmp\
API String ID: 2962429428-840121150
Opcode ID: a9ee9dd59f1d65fc7d516ea45ae36214ae301fc028764db5b16804c067bfeb42
Instruction ID: d999985cb90310bf3b758c666a10fef92de30db54d65d146bcd03f9961b14051
Opcode Fuzzy Hash: a9ee9dd59f1d65fc7d516ea45ae36214ae301fc028764db5b16804c067bfeb42
Instruction Fuzzy Hash: A3E08631A00714A6C124EF7CAD499853A185B45331B244726F0B5F20F0C778A9575EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00403222 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031D0,000000FF,00000000,00000000,00000009,?), ref: 00403247

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 0040329C, 004032B3, 004032C9

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 973152223-292220189
Opcode ID: ce81470534c94f9195f7b80e3f7d0d63071f291ff17927e88f905344df711149
Instruction ID: 63e3bc89ebc44e63cb87267a04d05eb10b5728ec6aea7eb37a90b8226d4502d0
Opcode Fuzzy Hash: ce81470534c94f9195f7b80e3f7d0d63071f291ff17927e88f905344df711149
Instruction Fuzzy Hash: 67318B30600219EFDB20DF95ED84A9E7BACEB00359F50443AF904E61A1DB38DE51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405DD8: CharNextA.USER32(?,?,C:\,0000000B,00405E44,C:\,C:\,74DF3410,?,74DF2EE0,00405B8F,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"), ref: 00405DE6
Part of subcall function 00405DD8: CharNextA.USER32(00000000), ref: 00405DEB
Part of subcall function 00405DD8: CharNextA.USER32(00000000), ref: 00405DFF

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 00405994: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059D7

SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Pinball\update,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Pinball\update, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Pinball\update
API String ID: 1892508949-3859457411
Opcode ID: 5387091bdfc140b8087f8c86ee1b38cdfb01a532a77df89c8285ea66194cdfe6
Instruction ID: da078a7396538d2b68c3d46abcf0abf86ed4841e4c77ece3ad50f4b688452c44
Opcode Fuzzy Hash: 5387091bdfc140b8087f8c86ee1b38cdfb01a532a77df89c8285ea66194cdfe6
Instruction Fuzzy Hash: 92113431608040EBCF316FA54D419BF23B09E96324B68453FE491B22E2DA3D4C43AA3E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E2D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004063AD: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,00403694,Setup Pinball 22,NSIS Error,?,00000007,00000009,0000000B), ref: 004063BA

Part of subcall function 00405DD8: CharNextA.USER32(?,?,C:\,0000000B,00405E44,C:\,C:\,74DF3410,?,74DF2EE0,00405B8F,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"), ref: 00405DE6
Part of subcall function 00405DD8: CharNextA.USER32(00000000), ref: 00405DEB
Part of subcall function 00405DD8: CharNextA.USER32(00000000), ref: 00405DFF

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B8F,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"), ref: 00405E80
GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B8F,?,74DF3410,74DF2EE0), ref: 00405E90

Strings

C:\, xrefs: 00405E33, 00405E38, 00405E3E, 00405E79, 00405E7F, 00405E87, 00405E8F

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 678f3ead996082f1db05eba5b8c2b9e3d8806008399db563f30518ef42c9b83a
Instruction ID: 9f267cddd7eb309e72c664a5524f4ef8e78f3a4fdcff01b88aa859142a740ccd
Opcode Fuzzy Hash: 678f3ead996082f1db05eba5b8c2b9e3d8806008399db563f30518ef42c9b83a
Instruction Fuzzy Hash: A1F0A431144D9515C72223368D09AAF1A45CEA23A475A453BF8D1B22D2CB3C8A539DEE

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0040AC50,00000023,00000011,00000002), ref: 004024C9
RegSetValueExA.KERNEL32(?,?,?,?,0040AC50,00000000,00000011,00000002), ref: 00402509
RegCloseKey.KERNEL32(?,?,?,0040AC50,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: f366e6c306fe12082cf0b05c6ba91687424175233ff3acd6191fb73da5415940
Instruction ID: f11ff60c4b13be1b40730626367b2ac31db3e86d33d3b539648c793afb11e8e7
Opcode Fuzzy Hash: f366e6c306fe12082cf0b05c6ba91687424175233ff3acd6191fb73da5415940
Instruction Fuzzy Hash: DB115171E04208AFEB10AFA59E49AAE7A74AB54714F21443BF504F71C1D6B94D809B68

Uniqueness

Uniqueness Score: -1.00%

Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
RegCloseKey.KERNEL32(?,?,?,0040AC50,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: d9b2f7af4b58b16225319d4737150cd9e7384b2817515e7f92340022bc23a71a
Instruction ID: 73951399082e5fa98c6371f9b4b4b349b16151057db022cfb7c5a8f3282eca10
Opcode Fuzzy Hash: d9b2f7af4b58b16225319d4737150cd9e7384b2817515e7f92340022bc23a71a
Instruction Fuzzy Hash: EB017571904104FFE7159F549E88ABF7B6CEF41358F20443EF105A61C0DAB44E449679

Uniqueness

Uniqueness Score: -1.00%

Function 00405B27 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(?,?,00405B33,?,?,00000000,00405D16,?,?,?,?), ref: 00405F20
Part of subcall function 00405F1B: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F34

RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405D16), ref: 00405B42
DeleteFileA.KERNEL32(?,?,?,00000000,00405D16), ref: 00405B4A
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B62

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction ID: fc28fc13a5ffaa1451d385943006fff6504562e94068b3e8e58ff47069311b16
Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction Fuzzy Hash: A9E0E531508A5196C21067309D08B5B7AF4DF96315F09493AF891F20C0C73CB8068A7D

Uniqueness

Uniqueness Score: -1.00%

Function 0040682E Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 0040683F
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406854
GetExitCodeProcess.KERNEL32(?,?), ref: 00406861

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: 5b4fe72fd1e708cd3b796925d468a13cc4a0d4fa623004970e8620b303540654
Instruction ID: 786f37fe9b0b1b1757ae7e0e20c5bf7d2f22bc893670cbc7984a2ae372209aef
Opcode Fuzzy Hash: 5b4fe72fd1e708cd3b796925d468a13cc4a0d4fa623004970e8620b303540654
Instruction Fuzzy Hash: 2EE0D832A00108FBDB10AB54DD05E9E7B6EDB44744F114037FB01B61A0D7B19E62EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405FB8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00415460,004034A6,00000009,00000009,004033AA,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,00403254), ref: 00405FCC

Strings

o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00405FBB

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
API String ID: 2738559852-292220189
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: 7e5aaa18cf238fc3c2a2d6f2c990f7ea76405a2d1e5533b3dfe085218e3ca13f
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: 93E08C3220061EABCF109E608C04EEB3B6CEB003A0F004433F915E2140E674E8208BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,00000000,?,?,?,?), ref: 0040254E
RegCloseKey.KERNEL32(?,?,?,0040AC50,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 622720d723debc0e5387cc632ba222ec01e0168f6777bf894a7108f8d5dde447
Instruction ID: 4b56cd5ea3ff9179ab7dc602fdd52c2e718bc4285600ddde5da30d0002e9d155
Opcode Fuzzy Hash: 622720d723debc0e5387cc632ba222ec01e0168f6777bf894a7108f8d5dde447
Instruction Fuzzy Hash: BE110471904204FFDF24CF64CA584AE7BB4AF00344F20483FE042B72C0D6B88A45DA1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8d6dbff36e684ac128f086476d42dfa0dacb146ee2a51e47a5bbc3284452034d
Instruction ID: b0909b975399ca643c062e30d3ddfd7e2b7b3efc2cbaaa5a110c2e05b7795de4
Opcode Fuzzy Hash: 8d6dbff36e684ac128f086476d42dfa0dacb146ee2a51e47a5bbc3284452034d
Instruction Fuzzy Hash: 380121317242109BE7180B7A8D04B6A32A8E710318F10853AF841F61F1DA789C028B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A46 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C0C0,00000009,00000009,0000000B), ref: 00405A6F
CloseHandle.KERNEL32(?), ref: 00405A7C

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
Instruction ID: 48950c8f4c666f3fb74f177c391d78cb5defd913bab31bd9d1c0215700feeedf
Opcode Fuzzy Hash: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
Instruction Fuzzy Hash: 8AE0BFB5A00209BFEB109BA4ED49F7F77ACFB04608F404525BD50F2150D77499158A78

Uniqueness

Uniqueness Score: -1.00%

Function 004067B9 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,00403633,0000000B), ref: 004067CB
GetProcAddress.KERNEL32(00000000,?), ref: 004067E6

Part of subcall function 0040674B: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406762
Part of subcall function 0040674B: wsprintfA.USER32 ref: 0040679B
Part of subcall function 0040674B: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004067AF

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
Instruction ID: a7ac22a06370d6b0a0a90de621bba7f0ce7106f591c7cbd0d506157d44a434a2
Opcode Fuzzy Hash: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
Instruction Fuzzy Hash: A0E08C32604210ABD21067B49E48C7B73ACAF88708702083FF946F3240DB38DC36A66D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F40 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe,80000000,00000003), ref: 00405F44
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F66

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,00405B33,?,?,00000000,00405D16,?,?,?,?), ref: 00405F20
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F34

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 21ee5df392e2e3ec62eeb83b5b0df553a0a1579e20daa9fad68e55b8d704abe5
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: 99D0C972504422ABD3542728AE0889BBB55DB54271702CB35FDE5A26B1DB304C569A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405A11 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,00000000,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00405A17
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A25

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: 195c21080821b3492e5a44204faa0221d1fd975594f5f15cd5422cdfd2dc7f48
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: 24C08C30714501ABD6101B30AF09B173B60AB00340F028439A38AE00A0CA308015CE2D

Uniqueness

Uniqueness Score: -1.00%

Function 00406261 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 0040628A

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 282812905ffe6fa8799437e3a4fe4156bb01cfe44eebde0263977a6986859224
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 93E0E67201010DBEDF099F50DC0AD7B372DE704300F05492EF906D4151E6B5A9705634

Uniqueness

Uniqueness Score: -1.00%

Function 00405FE7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,0041CA75,00415460,0040342A,00415460,0041CA75,LB,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,00403254), ref: 00405FFB

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 0afa8209b49303e90907335d5d7c52becaf9ed0dec036a1b0300e0b740401a66
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 55E08C3224025AABDF20DE608C00EEB3B6CEB00360F014432FE16E3040DA30E831ABA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406233 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?,0042A098,?,?,004062C1,0042A098,?,?,?,00000002,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 00406257

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 3d740e944366ea514e57ed2aded9f5afd8d3402cece41b903b05e0b4c8e80d31
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 01D0123200020DBBDF116F909D01FAB3B1EEF48350F118826FE06A4091D775D530A728

Uniqueness

Uniqueness Score: -1.00%

Function 00406186 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00406190

Part of subcall function 00406016: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,004061A7,?,?), ref: 00406047
Part of subcall function 00406016: GetShortPathNameA.KERNEL32(?,0042C648,00000400), ref: 00406050
Part of subcall function 00406016: GetShortPathNameA.KERNEL32(?,0042CA48,00000400), ref: 0040606D
Part of subcall function 00406016: wsprintfA.USER32 ref: 0040608B
Part of subcall function 00406016: GetFileSize.KERNEL32(00000000,00000000,0042CA48,C0000000,00000004,0042CA48,?,?,?,?,?), ref: 004060C6
Part of subcall function 00406016: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060D5
Part of subcall function 00406016: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040610D
Part of subcall function 00406016: SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,0042C248,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406163
Part of subcall function 00406016: GlobalFree.KERNEL32(00000000), ref: 00406174

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$GlobalNamePathShort$AllocCloseFreeHandleMovePointerSizelstrcpywsprintf
String ID:
API String ID: 299535525-0
Opcode ID: c322f9145407614dcfa10dfeecaa9c41271446476469625b6f257f08a92a98fd
Instruction ID: 000a298da37951b9beb6bf7480c1bf72e8e5e1d416767976cc0ebe3603791975
Opcode Fuzzy Hash: c322f9145407614dcfa10dfeecaa9c41271446476469625b6f257f08a92a98fd
Instruction Fuzzy Hash: 5DD0A731148201BEDB211F00DD0490B7BB1FB90315F11843EF185940B0D7328060DF09

Uniqueness

Uniqueness Score: -1.00%

Function 004034A9 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,004031A9,?), ref: 004034B7

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004054CE: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
Part of subcall function 004054CE: lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
Part of subcall function 004054CE: lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
Part of subcall function 004054CE: SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
Part of subcall function 004054CE: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A

Part of subcall function 00405A46: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C0C0,00000009,00000009,0000000B), ref: 00405A6F
Part of subcall function 00405A46: CloseHandle.KERNEL32(?), ref: 00405A7C

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 0040682E: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040683F
Part of subcall function 0040682E: GetExitCodeProcess.KERNEL32(?,?), ref: 00406861

Part of subcall function 0040630B: wsprintfA.USER32 ref: 00406318

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 932d1c38cbfb24ebf877498f87e14b96e13ba20706af4812904e15ae338fca7b
Instruction ID: 11a60f3d6f297274548d694c0275662d066654ba76d574c38af8cf55d6395503
Opcode Fuzzy Hash: 932d1c38cbfb24ebf877498f87e14b96e13ba20706af4812904e15ae338fca7b
Instruction Fuzzy Hash: 0EF0B432905121DBCB20BFA14EC49EFB2A49F41318B24463FF502B21D1CB7C4E418AAE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040560C Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040566B
GetDlgItem.USER32(?,000003EE), ref: 0040567A
GetClientRect.USER32(?,?), ref: 004056B7
GetSystemMetrics.USER32(00000002), ref: 004056BE
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056DF
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056F0
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405703
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405711
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405724
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405746
ShowWindow.USER32(?,00000008), ref: 0040575A
GetDlgItem.USER32(?,000003EC), ref: 0040577B
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040578B
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004057A4
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004057B0
GetDlgItem.USER32(?,000003F8), ref: 00405689

Part of subcall function 0040445F: SendMessageA.USER32(00000028,?,00000001,0040428F), ref: 0040446D

GetDlgItem.USER32(?,000003EC), ref: 004057CC
CreateThread.KERNEL32(00000000,00000000,Function_000055A0,00000000), ref: 004057DA
CloseHandle.KERNEL32(00000000), ref: 004057E1
ShowWindow.USER32(00000000), ref: 00405804
ShowWindow.USER32(?,00000008), ref: 0040580B
ShowWindow.USER32(00000008), ref: 00405851
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405885
CreatePopupMenu.USER32 ref: 00405896
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004058AB
GetWindowRect.USER32(?,000000FF), ref: 004058CB
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058E4
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405920
OpenClipboard.USER32(00000000), ref: 00405930
EmptyClipboard.USER32 ref: 00405936
GlobalAlloc.KERNEL32(00000042,?), ref: 0040593F
GlobalLock.KERNEL32(00000000), ref: 00405949
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040595D
GlobalUnlock.KERNEL32(00000000), ref: 00405976
SetClipboardData.USER32(00000001,00000000), ref: 00405981
CloseClipboard.USER32 ref: 00405987

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 2acb7b83d32332fc23b0f55e86c9aeee1e9b5d0168e5b03d031b27125abc7074
Instruction ID: 7efb50357b3f50af201fa6f108fa5506fb008a5585d1c8a66461a5270055d409
Opcode Fuzzy Hash: 2acb7b83d32332fc23b0f55e86c9aeee1e9b5d0168e5b03d031b27125abc7074
Instruction Fuzzy Hash: F2A14971900608BFDB11AFA5DE85AAE7B79FB08354F40403AFA41B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 004048BC Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040490B
SetWindowTextA.USER32(00000000,?), ref: 00404935
SHBrowseForFolderA.SHELL32(?,00429C90,?), ref: 004049E6
CoTaskMemFree.OLE32(00000000), ref: 004049F1
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,0042A8B8), ref: 00404A23
lstrcatA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 00404A2F
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A41

Part of subcall function 00405AA7: GetDlgItemTextA.USER32(?,?,00000400,00404A78), ref: 00405ABA

Part of subcall function 0040668B: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066E3
Part of subcall function 0040668B: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066F0
Part of subcall function 0040668B: CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066F5
Part of subcall function 0040668B: CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00406705

GetDiskFreeSpaceA.KERNEL32(00429888,?,?,0000040F,?,00429888,00429888,?,00000001,00429888,?,?,000003FB,?), ref: 00404AFF
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404B1A

Part of subcall function 00404C73: lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B8E,000000DF,00000000,00000400,?), ref: 00404D11
Part of subcall function 00404C73: wsprintfA.USER32 ref: 00404D19
Part of subcall function 00404C73: SetDlgItemTextA.USER32(?,0042A8B8), ref: 00404D2C

Strings

C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00404A1D, 00404A22, 00404A2D
C:\Users\user\AppData\Roaming\Pinball, xrefs: 00404A0C
A, xrefs: 004049DF

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Pinball
API String ID: 2624150263-3398784842
Opcode ID: f759c3bdfbf6dcf5a6d3c58857932ae76a455d95421bf85057ae9753f30115f1
Instruction ID: 418814d4f5b482a1114e5ad802000013a356d82c32de86a083c65c853fd70f02
Opcode Fuzzy Hash: f759c3bdfbf6dcf5a6d3c58857932ae76a455d95421bf85057ae9753f30115f1
Instruction Fuzzy Hash: 09A17FB1A00209ABDB11AFA6C945BAF77B8EF84314F10843BF611B62D1D77C99418F6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA

Strings

C:\Users\user\AppData\Roaming\Pinball\update, xrefs: 00402238

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Pinball\update
API String ID: 123533781-3859457411
Opcode ID: 33632eb9d2d55aaa42420cc03fede18144e517e278e294a30b7482181739d3ea
Instruction ID: 04de17d00a4dc4a8b41f7435a4088df82794450048cbc41f8bf7b2fd75c255b2
Opcode Fuzzy Hash: 33632eb9d2d55aaa42420cc03fede18144e517e278e294a30b7482181739d3ea
Instruction Fuzzy Hash: 7E511675A00208AFDF10DFE4C988A9D7BB5AF48314F2045AAF505EB2D1DA799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: b6c00e0e94478f12fd63b5c2aca1cdbca56b6e26543b3531c68661d346b4c890
Instruction ID: 3fa1d78f33bc5af05a97a61fc1c3a0e432ac7d90a4ef56d453e9603bce16c14e
Opcode Fuzzy Hash: b6c00e0e94478f12fd63b5c2aca1cdbca56b6e26543b3531c68661d346b4c890
Instruction Fuzzy Hash: 46F05532608100DBD710EBA48A08AFEB3689F11314FB0047BF002F20C1D6F88944DB3A

Uniqueness

Uniqueness Score: -1.00%

Function 00406BFE Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
Instruction ID: 7a70df28d47a3628ca1b0521c3a29fd1132f15960f4e2392888d2acdccabd480
Opcode Fuzzy Hash: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
Instruction Fuzzy Hash: 4BE18A71900709DFDB24CF58C880BAEBBF1FF45305F15842EE896A7291E738AA91CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004073D5 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
Instruction ID: 267aa099e2d25bcaaee6bbd59b652f1cfe254aeb6bd378defe50816dfd9dccfd
Opcode Fuzzy Hash: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
Instruction Fuzzy Hash: 12C13731E042199BCF18CF68D4905EEBBB2BF98314F25866AD856B7380D734B942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404E2F Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404E46
GetDlgItem.USER32(?,00000408), ref: 00404E53
GlobalAlloc.KERNEL32(00000040,?), ref: 00404EA2
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404EB9
SetWindowLongA.USER32(?,000000FC,00405442), ref: 00404ED3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EE5
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404EF9
SendMessageA.USER32(?,00001109,00000002), ref: 00404F0F
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404F1B
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F2B
DeleteObject.GDI32(00000110), ref: 00404F30
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F5B
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F67
SendMessageA.USER32(?,00001100,00000000,?), ref: 00405001
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00405031

Part of subcall function 0040445F: SendMessageA.USER32(00000028,?,00000001,0040428F), ref: 0040446D

SendMessageA.USER32(?,00001100,00000000,?), ref: 00405045
GetWindowLongA.USER32(?,000000F0), ref: 00405073
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00405081
ShowWindow.USER32(?,00000005), ref: 00405091
SendMessageA.USER32(?,00000419,00000000,?), ref: 0040518C
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051F1
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00405206
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 0040522A
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 0040524A
ImageList_Destroy.COMCTL32(?), ref: 0040525F
GlobalFree.KERNEL32(?), ref: 0040526F
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052E8
SendMessageA.USER32(?,00001102,?,?), ref: 00405391
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004053A0
InvalidateRect.USER32(?,00000000,00000001), ref: 004053CB
ShowWindow.USER32(?,00000000), ref: 00405419
GetDlgItem.USER32(?,000003FE), ref: 00405424
ShowWindow.USER32(00000000), ref: 0040542B

Strings

N, xrefs: 004050CA
, xrefs: 00405403
M, xrefs: 00404FE9

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: c1c194e9b9070287253358cafda237fff522e19e8e097677c2b12699a22d6652
Instruction ID: d499fac4ffa3b846b6f4258f5395dfa7d3bb3a3819381929755cf89923acce5f
Opcode Fuzzy Hash: c1c194e9b9070287253358cafda237fff522e19e8e097677c2b12699a22d6652
Instruction Fuzzy Hash: E9028CB0A00609AFDB209F94DD45AAF7BB5FB44314F50813AFA10BA2E0D7799D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403F30 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F6C
ShowWindow.USER32(?), ref: 00403F8C
GetWindowLongA.USER32(?,000000F0), ref: 00403F9E
ShowWindow.USER32(?,00000004), ref: 00403FB7
DestroyWindow.USER32 ref: 00403FCB
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FE4
GetDlgItem.USER32(?,?), ref: 00404003
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00404017
IsWindowEnabled.USER32(00000000), ref: 0040401E
GetDlgItem.USER32(?,00000001), ref: 004040C9
GetDlgItem.USER32(?,00000002), ref: 004040D3
SetClassLongA.USER32(?,000000F2,?), ref: 004040ED
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 0040413E
GetDlgItem.USER32(?,00000003), ref: 004041E4
ShowWindow.USER32(00000000,?), ref: 00404205
EnableWindow.USER32(?,?), ref: 00404217
EnableWindow.USER32(?,?), ref: 00404232
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404248
EnableMenuItem.USER32(00000000), ref: 0040424F
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404267
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 0040427A
lstrlenA.KERNEL32(0042A8B8,?,0042A8B8,00000000), ref: 004042A4
SetWindowTextA.USER32(?,0042A8B8), ref: 004042B3
ShowWindow.USER32(?,0000000A), ref: 004043E7

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: dd943b36bef5e6101a64a98db85f6916b7033b37facd6ac691b167c3a0268699
Instruction ID: cfe8d3d22397b66955926c3cfba744adcb70c974020a8b32e677ce7b32ac045c
Opcode Fuzzy Hash: dd943b36bef5e6101a64a98db85f6916b7033b37facd6ac691b167c3a0268699
Instruction Fuzzy Hash: 78C1E7B1604204ABDB316F66EE45E2B3A78FB94705F40053EF741B51F0CB7998929B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00404595 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404620
GetDlgItem.USER32(00000000,000003E8), ref: 00404634
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404652
GetSysColor.USER32(?), ref: 00404663
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404672
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404681
lstrlenA.KERNEL32(?), ref: 00404684
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404693
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004046A8
GetDlgItem.USER32(?,0000040A), ref: 0040470A
SendMessageA.USER32(00000000), ref: 0040470D
GetDlgItem.USER32(?,000003E8), ref: 00404738
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404778
LoadCursorA.USER32(00000000,00007F02), ref: 00404787
SetCursor.USER32(00000000), ref: 00404790
LoadCursorA.USER32(00000000,00007F00), ref: 004047A6
SetCursor.USER32(00000000), ref: 004047A9
SendMessageA.USER32(00000111,00000001,00000000), ref: 004047D5
SendMessageA.USER32(00000010,00000000,00000000), ref: 004047E9

Strings

N, xrefs: 00404726
B, xrefs: 00404794

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$B
API String ID: 3103080414-4074832742
Opcode ID: 4d05f5e0ef440667059b4acfea2602b31eb488a9e47853f73489c8b11a8fc1e8
Instruction ID: f74a572f32c1eabaa27ded338b34f9593036d5ac8179563e1bc88d7f54208024
Opcode Fuzzy Hash: 4d05f5e0ef440667059b4acfea2602b31eb488a9e47853f73489c8b11a8fc1e8
Instruction Fuzzy Hash: 1961C6B1A40209BFDB10AF61CD45F6A7B69FB84714F10843AFB057B1D1C7B8A951CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Setup Pinball 22,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
Setup Pinball 22, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$Setup Pinball 22
API String ID: 941294808-2336980834
Opcode ID: cb662b4f4839534f1e503674090c16ddf8ae81f728f075d0793f80a4b08fd510
Instruction ID: 3a3012abeb301a2a27237ef274a244925febb43b73cb3b1a1ba5aa4791300789
Opcode Fuzzy Hash: cb662b4f4839534f1e503674090c16ddf8ae81f728f075d0793f80a4b08fd510
Instruction Fuzzy Hash: 2E419C71800209AFCF058FA5DE459AF7FB9FF44314F00802AF991AA1A0C774EA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00406016 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,004061A7,?,?), ref: 00406047
GetShortPathNameA.KERNEL32(?,0042C648,00000400), ref: 00406050

Part of subcall function 00405EA5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB5
Part of subcall function 00405EA5: lstrlenA.KERNEL32(00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EE7

GetShortPathNameA.KERNEL32(?,0042CA48,00000400), ref: 0040606D
wsprintfA.USER32 ref: 0040608B
GetFileSize.KERNEL32(00000000,00000000,0042CA48,C0000000,00000004,0042CA48,?,?,?,?,?), ref: 004060C6
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060D5
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040610D
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,0042C248,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406163
GlobalFree.KERNEL32(00000000), ref: 00406174
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040617B

Part of subcall function 00405F40: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe,80000000,00000003), ref: 00405F44
Part of subcall function 00405F40: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F66

Strings

%s=%s, xrefs: 00406081
[Rename], xrefs: 004060F5, 00406107

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: e602bdd9d32c47316c0f043e2c5c01b3ab384ce48114597be3de32aa163f2925
Instruction ID: 3e8574c39a0610ec67407c758a3b0be6a8c8f99fe29b991ef795125cbd817837
Opcode Fuzzy Hash: e602bdd9d32c47316c0f043e2c5c01b3ab384ce48114597be3de32aa163f2925
Instruction Fuzzy Hash: F33126316017167BC2306B699D49F2B3A5CDF45758F15003ABD42FA2C2DE7CE8228AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004054CE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A

Strings

4/@, xrefs: 00405514, 00405526

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: 4/@
API String ID: 2531174081-3101945251
Opcode ID: 23038f27ffa0ac85a098dbcc57426fb3d31c8aaa780897c3fdab36f90d014fb0
Instruction ID: 4b9143c85c3745f66eb79234941ef083dbb1be054dfbe47ff8ffe791c5f35d5f
Opcode Fuzzy Hash: 23038f27ffa0ac85a098dbcc57426fb3d31c8aaa780897c3fdab36f90d014fb0
Instruction Fuzzy Hash: F5219D71900518BBDB119FA5DD819DFBFB9EF09354F10807AF944B6290C7388E548F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040668B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066E3
CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066F0
CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066F5
CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00406705

Strings

"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe", xrefs: 0040668B
C:\Users\user\AppData\Local\Temp\, xrefs: 0040668C
*?|<>/":, xrefs: 004066D3

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-408214126
Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction ID: ad50ec36196ae086b1f079829a382c2ab89d98dbc250fae59a25bbaada14e1cc
Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction Fuzzy Hash: 6711046180479169FB3207284C44B776F884F97764F19087FE8D2732C2CA7E5CA29A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402ED5
GetTickCount.KERNEL32 ref: 00402EF3
wsprintfA.USER32 ref: 00402F21

Part of subcall function 004054CE: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
Part of subcall function 004054CE: lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
Part of subcall function 004054CE: lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
Part of subcall function 004054CE: SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
Part of subcall function 004054CE: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
Part of subcall function 004054CE: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A

CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
ShowWindow.USER32(00000000,00000005), ref: 00402F53

Part of subcall function 00402EA1: MulDiv.KERNEL32(?,00000064,?), ref: 00402EB6

Strings

#Vh%.@, xrefs: 00402F34
... %d%%, xrefs: 00402F1B

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%$#Vh%.@
API String ID: 722711167-1706192003
Opcode ID: befa2999037e7dacf8acf22525320a04b4604363a871a5f770e998e30c514811
Instruction ID: a0a68cef0ca481793848c2d9aefcb7cb5e5ecf8e4390e60164e55f5bd8f95203
Opcode Fuzzy Hash: befa2999037e7dacf8acf22525320a04b4604363a871a5f770e998e30c514811
Instruction Fuzzy Hash: 36018E70541221EBCB21BB50EF0CA5B367CAB00745B94003AF605B11E0D6F8894ADFEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404491 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004044AE
GetSysColor.USER32(00000000), ref: 004044EC
SetTextColor.GDI32(?,00000000), ref: 004044F8
SetBkMode.GDI32(?,?), ref: 00404504
GetSysColor.USER32(?), ref: 00404517
SetBkColor.GDI32(?,?), ref: 00404527
DeleteObject.GDI32(?), ref: 00404541
CreateBrushIndirect.GDI32(?), ref: 0040454B

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction ID: 2fec9bf24bc66026ef53c67dad773596a416ec909f357223c019effc5fa8433a
Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction Fuzzy Hash: CF2167B1500704EBCB319F68DD18B5BBBF4AF41714B04892EFAA6B26E0C738E544CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404D7D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D98
GetMessagePos.USER32 ref: 00404DA0
ScreenToClient.USER32(?,?), ref: 00404DBA
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DCC
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DF2

Strings

f, xrefs: 00404DCE

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: fe6a20cf2c11a788ccad747fd5f00ef64c02a9fce7e576cf88be79dcb12c2241
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: 66014871900219BADB00DBA8DD85BFEBBB8AF55B15F10016ABA41B61C0C6B499018BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
wsprintfA.USER32 ref: 00402E74
SetWindowTextA.USER32(?,?), ref: 00402E84
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96

Strings

unpacking data: %d%%, xrefs: 00402E62
verifying installer: %d%%, xrefs: 00402E69, 00402E72

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 5099d59064bf0d622706c43f384fe22f0e9d0c525a15326d4d650ee4aa82a6b2
Instruction ID: 2c2aa0c7049332f53b6d42298637789440614c7c2e4359aadf4d2442cb353dca
Opcode Fuzzy Hash: 5099d59064bf0d622706c43f384fe22f0e9d0c525a15326d4d650ee4aa82a6b2
Instruction Fuzzy Hash: B1F01D7054020DBBEF21AF60DE0ABAE3769AB14345F00803AFA06B51D0DBF899558B99

Uniqueness

Uniqueness Score: -1.00%

Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
GlobalFree.KERNEL32(?), ref: 004028A4
GlobalFree.KERNEL32(00000000), ref: 004028B7
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 2df3cb68b5dbc429f4f1c6a3098a75d6b21630ffe2b8286246b8db2eba0fa2f8
Instruction ID: 072e3b5d3c571983fced0d66139dcaa8d7c51a737b65702004a33dc82ef3b9c0
Opcode Fuzzy Hash: 2df3cb68b5dbc429f4f1c6a3098a75d6b21630ffe2b8286246b8db2eba0fa2f8
Instruction Fuzzy Hash: 1A316C32800128BBDF216FA5DE49D9E7B79AF08324F14423AF554B62E1CB794D419B68

Uniqueness

Uniqueness Score: -1.00%

Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: b743165f959946a4ccd9b25dfd89ff3ae47307fb0fa25d43bbc95ee673993e20
Instruction ID: 7635178ac91153ec690d33bbb3d07e4398e625bcf7d11104edb46be020a0d663
Opcode Fuzzy Hash: b743165f959946a4ccd9b25dfd89ff3ae47307fb0fa25d43bbc95ee673993e20
Instruction Fuzzy Hash: 24212B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AFA55B11A0D7B49EA49AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32(?,?), ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: de32b336c1ffdc66ac374c0ca9fff1b1f5d0d7551e6d5e34af7361189a15debb
Instruction ID: 27b1212a805eea3139c87a475943c4b4ab790071e569df717d046b8c5e7325cd
Opcode Fuzzy Hash: de32b336c1ffdc66ac374c0ca9fff1b1f5d0d7551e6d5e34af7361189a15debb
Instruction Fuzzy Hash: B5215A72E00109AFCF14DFA4DD85AAEBBB5EB48300F24407EF901F62A0DB389941DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B850), ref: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 15cf77a67f34936d3abac871dc2773a608caae73cb034566782e53c9d0023549
Instruction ID: 685b73550df4dfc38284db97e20d4fcba876ab7456e304ac105fd168e902647a
Opcode Fuzzy Hash: 15cf77a67f34936d3abac871dc2773a608caae73cb034566782e53c9d0023549
Instruction Fuzzy Hash: 46018072544248AEE7007BB1AF4AA9A7FE8E755305F108839F241B61F2CB780448CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00404C73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B8E,000000DF,00000000,00000400,?), ref: 00404D11
wsprintfA.USER32 ref: 00404D19
SetDlgItemTextA.USER32(?,0042A8B8), ref: 00404D2C

Strings

%u.%u%s%s, xrefs: 00404CFB

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: fd4e6de80d7076eadaf05026f9996a105bc8a90ef5d6e2270e2ceec6d89389f4
Instruction ID: 80ef3aaef9c7940d6c9ce4e805d84fd1729c92a9eb25c0fff6ef42e4110b4dd6
Opcode Fuzzy Hash: fd4e6de80d7076eadaf05026f9996a105bc8a90ef5d6e2270e2ceec6d89389f4
Instruction Fuzzy Hash: B7110D7360812437E700666D9C42EAE3298DB85378F254237FE25F31D1DA78CC2242ED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 19a7777fe1495908293cc8df242e47f69f85fd711ccd5f7a82add7804c840abb
Instruction ID: d04047f7d872ba11913f05e2c7a8e30a40315ff7848647abde4a87fe257326fc
Opcode Fuzzy Hash: 19a7777fe1495908293cc8df242e47f69f85fd711ccd5f7a82add7804c840abb
Instruction Fuzzy Hash: 1B218571948208BEEB059FF5D986AAD7FB4EF44304F10447FF101B61D1D7B989819B18

Uniqueness

Uniqueness Score: -1.00%

Function 00405D3F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00405D45
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00405D4E
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D5F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405D3F

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction ID: 3965532e52c2964af4e4a5008f28a1982034686e92c93decc9c116211ffbf6ee
Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction Fuzzy Hash: 64D0A7621016307AD21126159C09ECF19088F02314B0A4027F540B6191C63C4C2287FD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DD8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,0000000B,00405E44,C:\,C:\,74DF3410,?,74DF2EE0,00405B8F,?,74DF3410,74DF2EE0,"C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe"), ref: 00405DE6
CharNextA.USER32(00000000), ref: 00405DEB
CharNextA.USER32(00000000), ref: 00405DFF

Strings

C:\, xrefs: 00405DD9

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction ID: bf86ed20fb7b94292cf6712911d0d54b52c00300c187dbabdd3beb47ec0449aa
Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction Fuzzy Hash: 59F09671904F516AFB325764DC44B775B88DB99351F18447BD5C07A2C1C37C4A814FEA

Uniqueness

Uniqueness Score: -1.00%

Function 00405442 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405471
CallWindowProcA.USER32(?,?,?,?), ref: 004054C2

Part of subcall function 00404476: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404488

Strings

, xrefs: 00405452

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 92a9fd2b7c2ec255fefba8023c613c5f78be7de0a7b6046c5c0ea937018391f1
Instruction ID: cd94b52dfe26eb285e266741e60656ba327741ee1343d18e5777b23f1cc810fd
Opcode Fuzzy Hash: 92a9fd2b7c2ec255fefba8023c613c5f78be7de0a7b6046c5c0ea937018391f1
Instruction Fuzzy Hash: FC017171101A09AFEF209F11DD80BDB3666EB84356F544136FE04791E2C73D8CA29E2A

Uniqueness

Uniqueness Score: -1.00%

Function 00406294 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Local\Temp\setup.exe,0042A098,?,?,?,00000002,C:\Users\user\AppData\Local\Temp\setup.exe,?,0040654C,80000002), ref: 004062DA
RegCloseKey.ADVAPI32(?,?,0040654C,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,?,0042A098), ref: 004062E5

Strings

C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00406297, 004062CB

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID: C:\Users\user\AppData\Local\Temp\setup.exe
API String ID: 3356406503-630909452
Opcode ID: a06636a21785f92a6ab7dc052d514d90bb4365a2268a51d0e95fcadfc93642b0
Instruction ID: 01dcb0f67e6ed75bb3d5fe412ec2f5c27d3211a9352167a32a014d0c2b7904db
Opcode Fuzzy Hash: a06636a21785f92a6ab7dc052d514d90bb4365a2268a51d0e95fcadfc93642b0
Instruction Fuzzy Hash: 10015E72500209AAEF228F55CD05FDB3BA8EF55354F01403AFD56A2190D374D968DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402FC8,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe,C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe,80000000,00000003), ref: 00405D8C
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402FC8,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe,C:\Users\user\Desktop\SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe,80000000,00000003), ref: 00405D9A

Strings

C:\Users\user\Desktop, xrefs: 00405D86

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction ID: 791fe6a49cce3cab353f7a30e3e4730565bbd32bb5c0eaa1a09902b3577b180c
Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction Fuzzy Hash: 5CD0A9A24089B06EF3436210CC08B8F6A88CF13301F0A84A3F480EA1A0C2BC4C428BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405EA5 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB5
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405ECD
CharNextA.USER32(00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EDE
lstrlenA.KERNEL32(00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EE7

Memory Dump Source

Source File: 00000000.00000002.2791673165.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2783745215.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2803846783.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2812677186.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848388393.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: b323b191ad28fc2fdc0003cf04e9b2d3b97c0f6d09c02c1c7944b0fd21ce9d7a
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 78F0C231205814AFCB02DBA4DD0099FBBA8EF55350B2540B9E881F7211DA34DF01ABA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: setup.exePID: 7712, Parent PID: 7316COMMON

Execution Graph

Execution Coverage:	18.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1367
Total number of Limit Nodes:	27

Executed Functions

Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008001), ref: 004034EF
GetVersionExA.KERNEL32(?), ref: 00403518
GetVersionExA.KERNEL32(0000009C), ref: 0040352F
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
OleInitialize.OLE32(00000000), ref: 0040363C
SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\setup.exe",00000020,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,00000007,00000009,0000000B), ref: 004036A9
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 00403808
ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
ExitProcess.KERNEL32 ref: 004038D4
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403901
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,0041F910,00000001), ref: 0040399B
CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
ExitProcess.KERNEL32 ref: 00403A76

Strings

", xrefs: 004036CC
TMP, xrefs: 004037EF
A, xrefs: 0040356A
\Temp, xrefs: 004037B9
Low, xrefs: 004037D5
~nsu, xrefs: 004038DF
C:\Users\user\AppData\Local\Temp\, xrefs: 00403797, 0040379C, 004037B2, 004037BE, 004037CD, 004037DA, 004037E6, 004037EE, 004038E4, 004038F5, 00403900, 0040390C, 00403919, 00403928, 004039DD
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034E1
1033, xrefs: 00403803
Error launching installer, xrefs: 0040386C
C:\Users\user\AppData\Local\Temp, xrefs: 00403906, 0040390B, 00403938
.tmp, xrefs: 004038FB
C:\Users\user\AppData\Roaming\Pinball, xrefs: 00403787, 00403886, 0040392F, 00403939
SeShutdownPrivilege, xrefs: 00403A0B
"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00403675, 0040367B, 0040382A
C:\Users\user\AppData\Roaming\Pinball, xrefs: 00403891
TEMP, xrefs: 004037E7
UXTHEME, xrefs: 004035EC, 004035F1, 004035F7
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00403996
NSIS Error, xrefs: 00403660

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "$"C:\Users\user\AppData\Local\Temp\setup.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2882342585-3730836742
Opcode ID: 912f83a836eb1fe613a791148bb63afd1bd4364e3d9f696fa0d110b9325e2922
Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
Opcode Fuzzy Hash: 912f83a836eb1fe613a791148bb63afd1bd4364e3d9f696fa0d110b9325e2922
Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405B73
lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BBB
lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BDC
lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BE2
FindFirstFileA.KERNEL32(00421D58,?,?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BF3
FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
FindClose.KERNEL32(00000000), ref: 00405CB1

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00405B53
\*.*, xrefs: 00405BB5

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$\*.*
API String ID: 2035342205-2430568624
Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69

Uniqueness

Uniqueness Score: -1.00%

Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(74DF3410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 0040670A
FindClose.KERNEL32(00000000), ref: 00406716

Strings

C:\, xrefs: 004066FF

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC

Uniqueness

Uniqueness Score: -1.00%

Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1

lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403BE9
lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,?,?,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00000000,C:\Users\user\AppData\Roaming\Pinball,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410), ref: 00403C5E
lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403C7C
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Pinball), ref: 00403CC5

Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3

RegisterClassA.USER32(00423EE0), ref: 00403D02
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403D85
GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
RegisterClassA.USER32(00423EE0), ref: 00403DC7
DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6

Strings

_Nb, xrefs: 00403CE1, 00403D49
C:\Users\user\AppData\Local\Temp\, xrefs: 00403B73
RichEd32, xrefs: 00403D99
1033, xrefs: 00403B8E, 00403BE4
>B, xrefs: 00403CD4
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, xrefs: 00403C2C, 00403C34, 00403C41, 00403C8B, 00403C91
C:\Users\user\AppData\Roaming\Pinball, xrefs: 00403BF8, 00403C00, 00403C98, 00403C9E, 00403CAE
.exe, xrefs: 00403C6B
RichEdit20A, xrefs: 00403DA9, 00403DAF
.DEFAULT\Control Panel\International, xrefs: 00403BD4
Control Panel\Desktop\ResourceLocale, xrefs: 00403BA2
"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00403B71
RichEdit, xrefs: 00403DB8
PB, xrefs: 00403B9A
RichEd20, xrefs: 00403D8B

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball\Pinball.exe$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
API String ID: 1975747703-2458865237
Opcode ID: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
Opcode Fuzzy Hash: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F70
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 00402F8C

Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00402FD5
GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00402F65
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
Null, xrefs: 00403053
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
Error launching installer, xrefs: 00402FAC
C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2
C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
soft, xrefs: 0040304A
Inst, xrefs: 00403041

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1937576205
Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00000400), ref: 00406549
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe), ref: 004065A6
CoTaskMemFree.OLE32(00000000), ref: 004065B2
lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D0
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406518
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, xrefs: 00406445, 00406515, 00406516, 00406517, 00406533, 00406548, 0040655B, 00406577, 004065A2, 004065D5, 004065DB, 004065F3, 00406606, 00406621, 00406627, 0040662F, 00406659

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1864475419
Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00000000,00000000,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Strings

C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Roaming\Pinball, xrefs: 00401786
C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball\Pinball.exe$C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe
API String ID: 1941528284-3515668715
Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402ED5
GetTickCount.KERNEL32 ref: 00402EF3
wsprintfA.USER32 ref: 00402F21

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
ShowWindow.USER32(00000000,00000005), ref: 00402F53

Part of subcall function 00402EA1: MulDiv.KERNEL32(00000000,00000064,0000239A), ref: 00402EB6

Strings

... %d%%, xrefs: 00402F1B
#Vh%.@, xrefs: 00402F34

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%$#Vh%.@
API String ID: 722711167-1706192003
Opcode ID: 07cac6d724745792ae4d9fd73f7c045bef1c3b2f4c5768a5f0064eb9df0334ee
Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
Opcode Fuzzy Hash: 07cac6d724745792ae4d9fd73f7c045bef1c3b2f4c5768a5f0064eb9df0334ee
Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE

Uniqueness

Uniqueness Score: -1.00%

Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
GetLastError.KERNEL32 ref: 004059C6
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
GetLastError.KERNEL32 ref: 004059E5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405995
!9@, xrefs: 00405984

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: !9@$C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-2369717338
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
wsprintfA.USER32 ref: 00402E74
SetWindowTextA.USER32(?,?), ref: 00402E84
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96

Strings

verifying installer: %d%%, xrefs: 00402E69, 00402E72
unpacking data: %d%%, xrefs: 00402E62

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99

Uniqueness

Uniqueness Score: -1.00%

Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
wsprintfA.USER32 ref: 00406776
LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A

Strings

%s%s.dll, xrefs: 00406770
\, xrefs: 0040674E
UXTHEME, xrefs: 0040672F

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69

Uniqueness

Uniqueness Score: -1.00%

Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
GlobalFree.KERNEL32(?), ref: 004028A4
GlobalFree.KERNEL32(00000000), ref: 004028B7
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68

Uniqueness

Uniqueness Score: -1.00%

Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F5E
GetTempFileNameA.KERNEL32(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F4D
nsa, xrefs: 00405F55

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798

Uniqueness

Uniqueness Score: -1.00%

Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D0

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E0
GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
C:\Users\user\AppData\Local\Temp\nscA9C6.tmp\, xrefs: 00403AB2

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nscA9C6.tmp\
API String ID: 2962429428-119127848
Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA

GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040596F: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2

SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Pinball,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Pinball, xrefs: 00401631

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Pinball
API String ID: 1892508949-1140934525
Opcode ID: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
Opcode Fuzzy Hash: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395

Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405E5B
GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 00405E6B

Strings

C:\, xrefs: 00405E0E, 00405E13, 00405E19, 00405E54, 00405E5A, 00405E62, 00405E6A

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE

Uniqueness

Uniqueness Score: -1.00%

Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004068D9 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00403305 Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403319

Part of subcall function 00403484: SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
SetFilePointer.KERNEL32(155C335A,00000000,00000000,004138F8,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
RegSetValueExA.KERNEL32(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
RegCloseKey.ADVAPI32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68

Uniqueness

Uniqueness Score: -1.00%

Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EF6: GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
Part of subcall function 00405EF6: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F

RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B1D
DeleteFileA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B25
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD

Uniqueness

Uniqueness Score: -1.00%

Function 004031FD Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
CloseHandle.KERNEL32(?), ref: 00405A57

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78

Uniqueness

Uniqueness Score: -1.00%

Function 004067D0 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32(?), ref: 004067E7
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004067F7

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Message$DispatchPeek
String ID:
API String ID: 1770753511-0
Opcode ID: b43a7f756baef145af556b0f3ef0eb78274fb565ee9daa0a8d5dee82ba361d4d
Instruction ID: 4b8c6ded7d3e2b85080493045cd77ffb99182be9d9e061d39d1abe4191ce46e7
Opcode Fuzzy Hash: b43a7f756baef145af556b0f3ef0eb78274fb565ee9daa0a8d5dee82ba361d4d
Instruction Fuzzy Hash: EBE0867390011867CA10AB999D05ECBB76C9F95754F010032F741F7084D674E50686F8

Uniqueness

Uniqueness Score: -1.00%

Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
GetProcAddress.KERNEL32(00000000,?), ref: 004067C1

Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
Part of subcall function 00406726: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
Opcode Fuzzy Hash: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C

Uniqueness

Uniqueness Score: -1.00%

Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734

Uniqueness

Uniqueness Score: -1.00%

Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,0040E7D2,0040B8F8,00403405,0040B8F8,0040E7D2,004138F8,00004000,?,00000000,0040322F,00000004), ref: 00405FD6

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405F93 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,004138F8,0040B8F8,00403481,00000009,00000009,00403385,004138F8,00004000,?,00000000,0040322F), ref: 00405FA7

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Part of subcall function 00405A21: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C

Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
Opcode Fuzzy Hash: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405646
GetDlgItem.USER32(?,000003EE), ref: 00405655
GetClientRect.USER32(?,?), ref: 00405692
GetSystemMetrics.USER32(00000002), ref: 00405699
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
ShowWindow.USER32(?,00000008), ref: 00405735
GetDlgItem.USER32(?,000003EC), ref: 00405756
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
GetDlgItem.USER32(?,000003F8), ref: 00405664

Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448

GetDlgItem.USER32(?,000003EC), ref: 004057A7
CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
CloseHandle.KERNEL32(00000000), ref: 004057BC
ShowWindow.USER32(00000000), ref: 004057DF
ShowWindow.USER32(?,00000008), ref: 004057E6
ShowWindow.USER32(00000008), ref: 0040582C
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
CreatePopupMenu.USER32 ref: 00405871
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
GetWindowRect.USER32(?,000000FF), ref: 004058A6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
OpenClipboard.USER32(00000000), ref: 0040590B
EmptyClipboard.USER32 ref: 00405911
GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
GlobalLock.KERNEL32(00000000), ref: 00405924
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
GlobalUnlock.KERNEL32(00000000), ref: 00405951
SetClipboardData.USER32(00000001,00000000), ref: 0040595C
CloseClipboard.USER32 ref: 00405962

Strings

PB, xrefs: 004058D7

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: PB
API String ID: 590372296-3196168531
Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404E21
GetDlgItem.USER32(?,00000408), ref: 00404E2E
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
DeleteObject.GDI32(00000110), ref: 00404F0B
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C

Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448

SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
GetWindowLongA.USER32(?,000000F0), ref: 0040504E
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
ShowWindow.USER32(?,00000005), ref: 0040506C
SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
ImageList_Destroy.COMCTL32(?), ref: 0040523A
GlobalFree.KERNEL32(?), ref: 0040524A
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
ShowWindow.USER32(?,00000000), ref: 004053F4
GetDlgItem.USER32(?,000003FE), ref: 004053FF
ShowWindow.USER32(00000000), ref: 00405406

Strings

N, xrefs: 004050A5
, xrefs: 004053DE
M, xrefs: 00404FC4

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
ShowWindow.USER32(?), ref: 00403F67
GetWindowLongA.USER32(?,000000F0), ref: 00403F79
ShowWindow.USER32(?,00000004), ref: 00403F92
DestroyWindow.USER32 ref: 00403FA6
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
GetDlgItem.USER32(?,?), ref: 00403FDE
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
IsWindowEnabled.USER32(00000000), ref: 00403FF9
GetDlgItem.USER32(?,00000001), ref: 004040A4
GetDlgItem.USER32(?,00000002), ref: 004040AE
SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
GetDlgItem.USER32(?,00000003), ref: 004041BF
ShowWindow.USER32(00000000,?), ref: 004041E0
EnableWindow.USER32(?,?), ref: 004041F2
EnableWindow.USER32(?,?), ref: 0040420D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
EnableMenuItem.USER32(00000000), ref: 0040422A
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
SetWindowTextA.USER32(?,00420D50), ref: 0040428E
ShowWindow.USER32(?,0000000A), ref: 004043C2

Strings

PB, xrefs: 0040426F

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: PB
API String ID: 1860320154-3196168531
Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
GetSysColor.USER32(?), ref: 0040463E
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
lstrlenA.KERNEL32(?), ref: 0040465F
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
GetDlgItem.USER32(?,0000040A), ref: 004046E5
SendMessageA.USER32(00000000), ref: 004046E8
GetDlgItem.USER32(?,000003E8), ref: 00404713
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
LoadCursorA.USER32(00000000,00007F02), ref: 00404762
SetCursor.USER32(00000000), ref: 0040476B
LoadCursorA.USER32(00000000,00007F00), ref: 00404781
SetCursor.USER32(00000000), ref: 00404784
SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4

Strings

N, xrefs: 00404701
6B, xrefs: 0040476F

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$6B
API String ID: 3103080414-649610290
Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
GetShortPathNameA.KERNEL32(?,00422AE0,00000400), ref: 0040602B

Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2

GetShortPathNameA.KERNEL32(?,00422EE0,00000400), ref: 00406048
wsprintfA.USER32 ref: 00406066
GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 004060A1
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
GlobalFree.KERNEL32(00000000), ref: 0040614F
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156

Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41

Strings

[Rename], xrefs: 004060D0, 004060E2
.B, xrefs: 00406044
%s=%s, xrefs: 0040605C
*B, xrefs: 00406010
.B, xrefs: 0040603D

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]$*B$.B$.B
API String ID: 2171350718-3836630945
Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004048E6
SetWindowTextA.USER32(00000000,?), ref: 00404910
SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
CoTaskMemFree.OLE32(00000000), ref: 004049CC
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00420D50), ref: 004049FE
lstrcatA.KERNEL32(?,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe), ref: 00404A0A
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C

Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95

Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
Part of subcall function 00406666: CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0

GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5

Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07

Strings

PB, xrefs: 00404994
A, xrefs: 004049BA
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, xrefs: 004049F8, 004049FD, 00404A08
C:\Users\user\AppData\Roaming\Pinball, xrefs: 004049E7

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball\Pinball.exe$PB
API String ID: 2624150263-4055189157
Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D

Uniqueness

Uniqueness Score: -1.00%

Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
SetWindowTextA.USER32(00420530,00420530), ref: 00405517
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565

Strings

4/@, xrefs: 004054EF, 00405501

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: 4/@
API String ID: 2531174081-3101945251
Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0

Strings

"C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00406666
C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
*?|<>/":, xrefs: 004066AE

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1678727643
Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D

Uniqueness

Uniqueness Score: -1.00%

Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404489
GetSysColor.USER32(00000000), ref: 004044C7
SetTextColor.GDI32(?,00000000), ref: 004044D3
SetBkMode.GDI32(?,?), ref: 004044DF
GetSysColor.USER32(?), ref: 004044F2
SetBkColor.GDI32(?,?), ref: 00404502
DeleteObject.GDI32(?), ref: 0040451C
CreateBrushIndirect.GDI32(?), ref: 00404526

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
GetMessagePos.USER32 ref: 00404D7B
ScreenToClient.USER32(?,?), ref: 00404D95
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD

Strings

f, xrefs: 00404DA9

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
wsprintfA.USER32 ref: 00404CF4
SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07

Strings

%u.%u%s%s, xrefs: 00404CD6
PB, xrefs: 00404CDE

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$PB
API String ID: 3540041739-838025833
Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8

Uniqueness

Uniqueness Score: -1.00%

Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
Opcode Fuzzy Hash: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D7E
GetClientRect.USER32(?,?), ref: 00401DCC
LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32(?,00000000), ref: 00401E6B
CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18

Uniqueness

Uniqueness Score: -1.00%

Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
CharNextA.USER32(00000000), ref: 00405DC6
CharNextA.USER32(00000000), ref: 00405DDA

Strings

C:\, xrefs: 00405DB4

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA

Uniqueness

Uniqueness Score: -1.00%

Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA

Strings

C:\Users\user\AppData\Roaming\Pinball, xrefs: 00402238

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Pinball
API String ID: 123533781-1140934525
Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040544C
CallWindowProcA.USER32(?,?,?,?), ref: 0040549D

Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463

Strings

, xrefs: 0040542D

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00420530,?,?,?,00000002,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,00406527,80000002), ref: 004062B5
RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,00420530), ref: 004062C0

Strings

C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, xrefs: 00406272, 004062A6

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CloseQueryValue
String ID: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
API String ID: 3356406503-3797405212
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D67
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D75

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00405D61

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 2709904686-47812868
Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2

Memory Dump Source

Source File: 00000004.00000002.2752797440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2752738893.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752874928.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2752922000.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000004.00000002.2753059820.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 5480, Parent PID: 7924COMMON

Executed Functions

Function 02D24F58 Relevance: 11.9, Strings: 9, Instructions: 610COMMON

Download Yara Rule

Strings

(oq, xrefs: 02D2589B
(oq, xrefs: 02D25056
(oq, xrefs: 02D2586F
(oq, xrefs: 02D25655
(oq, xrefs: 02D255A3
(oq, xrefs: 02D25082
(oq, xrefs: 02D255CF
(oq, xrefs: 02D251CD
(oq, xrefs: 02D251F9

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$(oq$(oq$(oq
API String ID: 0-1155985100
Opcode ID: ca486629091872af4a080f1a0ebe11b14cd145893e43b277cfe4b4381070f080
Instruction ID: d802f9caabdc433e4ecbf9e11757d8063b348acf430210c09378c3a2c376f82c
Opcode Fuzzy Hash: ca486629091872af4a080f1a0ebe11b14cd145893e43b277cfe4b4381070f080
Instruction Fuzzy Hash: 5A32A274B002288FCB49DF69D554AAEBBF2EFD8304F55806AE806EB355DB349C45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D23860 Relevance: 4.4, Strings: 3, Instructions: 683COMMON

Download Yara Rule

Strings

(oq, xrefs: 02D2419C
(oq, xrefs: 02D23DE5
(oq, xrefs: 02D23BA1

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3965398577
Opcode ID: 036d08f45ff247b11488a25e280bcd1f2df4ffe7ada7005def51f1853455f570
Instruction ID: dd5a1d20b538306bb856875fd4e71f833f74cb7f251e8772838774e60be0d5c0
Opcode Fuzzy Hash: 036d08f45ff247b11488a25e280bcd1f2df4ffe7ada7005def51f1853455f570
Instruction Fuzzy Hash: 6C427034B002299FDB45EF69D954AAEBBB7EF98300F148059E805AB3A9CF35DC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02D21049 Relevance: .8, Instructions: 840COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669625b8ebd73871444e92159adf06a6645fbadd67cd2111a90161e8924da0fb
Instruction ID: 0ff4316d808a232041827046bb1701979ed467103d89f42dcba8685f04b6a93c
Opcode Fuzzy Hash: 669625b8ebd73871444e92159adf06a6645fbadd67cd2111a90161e8924da0fb
Instruction Fuzzy Hash: 9082FF74640219DFDB06EFA5D654B6E7B7AEB88300F104914F901373ACCB36AD89DB26

Uniqueness

Uniqueness Score: -1.00%

Function 02D235F0 Relevance: 3.9, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

(oq, xrefs: 02D236B6
(oq, xrefs: 02D23786
(oq, xrefs: 02D237B2

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3965398577
Opcode ID: fbc59bef548419b8cad57aa699db398cf0e23507a6d6b6b8b9e89dc6ce849f60
Instruction ID: f95c42b69ca85af8f294c10473623d5000adbe567d727ef0a0ffa7a8f96909e8
Opcode Fuzzy Hash: fbc59bef548419b8cad57aa699db398cf0e23507a6d6b6b8b9e89dc6ce849f60
Instruction Fuzzy Hash: D34159353001180BE799BB3A981023F6AEBEBD5650768857DD806CB3E8DE38DC0B87D5

Uniqueness

Uniqueness Score: -1.00%

Function 02D2BEAF Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02D2BF75

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: d31bbabb4c0a36196c86a1a21a9608b954bc6667c6d2eaae8a7fa2fb08a87fba
Instruction ID: 6fcde7c9df93c9d8be74aad460cc1d1d59e57a97dcc241938fb19791f6a809c0
Opcode Fuzzy Hash: d31bbabb4c0a36196c86a1a21a9608b954bc6667c6d2eaae8a7fa2fb08a87fba
Instruction Fuzzy Hash: 56419F747006158FC754DF2ED498A6EBBF6FF98710B2580A9E906DB3B5DA31EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 02D2BEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02D2BF75

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: b7eb57a3826f4aff9b1ac39f39032c7b2e94c24982be4095264ebb9cb72f691d
Instruction ID: 36953e2a946bb36415d1fd098b98311e1b968d9bb26ea23fc8df879742ae2dbe
Opcode Fuzzy Hash: b7eb57a3826f4aff9b1ac39f39032c7b2e94c24982be4095264ebb9cb72f691d
Instruction Fuzzy Hash: F1415E747006158FC754EF6EC498A6EBBE6FF88710B6580A9E506DB3B5CE71EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 02D22B10 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02D22B35

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 3b46f52746db209319c236eafc29fd2e2f584f7c7e905a812ab17652141a2e7c
Instruction ID: 703d21c68bd5b05aa6debd5dae94324d04effb27bae409251b5b2a2c13a4bc73
Opcode Fuzzy Hash: 3b46f52746db209319c236eafc29fd2e2f584f7c7e905a812ab17652141a2e7c
Instruction Fuzzy Hash: 7B310B357002158FDB4AAB36C554A6E33E6EBC9A50B20816CE50A8F3B9DF35DC078B94

Uniqueness

Uniqueness Score: -1.00%

Function 02D22B20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02D22B35

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: ea4113784487dcbdcb3332a67493351f6ef0bdf6610f8a1e04322729f2291f8d
Instruction ID: 0f68ceff9734c9b45fc4cfeab3f37aeb11c0c37ecb5bf74a69af1ea6a061ef47
Opcode Fuzzy Hash: ea4113784487dcbdcb3332a67493351f6ef0bdf6610f8a1e04322729f2291f8d
Instruction Fuzzy Hash: 4731F8347012158FDB4AAB36D55496E33E6EBC9A14B20816CE10A8F3B9DF36DC47CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02D24248 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

(oq, xrefs: 02D24295

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: c3ceb0c94940a253d770bb68853aa23d9c3a5aa830aad14acb97ab83b710f5bf
Instruction ID: f8322d3fb9079d58fa493ae3eaaf96f0f124a69582cf52440ea768ad437a48cd
Opcode Fuzzy Hash: c3ceb0c94940a253d770bb68853aa23d9c3a5aa830aad14acb97ab83b710f5bf
Instruction Fuzzy Hash: 460190357081540FD306577D541417E7F67EFD165035440AFC841CB359DE28AC49C3C4

Uniqueness

Uniqueness Score: -1.00%

Function 02D237F0 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

(oq, xrefs: 02D23820

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: 497826884d1555b0713f8c670c4cdb1c22e428bc29217b30cbafebf65ac676c8
Instruction ID: 22b1395cd56b3a15e75030d429e70d9f3cc680a7642a7fe4bac139b72c45040b
Opcode Fuzzy Hash: 497826884d1555b0713f8c670c4cdb1c22e428bc29217b30cbafebf65ac676c8
Instruction Fuzzy Hash: 74F059327041680BD74A6B7A180053E7FEFDBC5220B14426BF906C73D5DE698C068391

Uniqueness

Uniqueness Score: -1.00%

Function 02D21058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb883ae1ecda0b4308074be36ba7822608297dde1eacf1aa483244152e9243f
Instruction ID: 40b08f7bc1a29e23215bc63fb8269d3878ba0633684f1604c84f8f370cad21c6
Opcode Fuzzy Hash: ccb883ae1ecda0b4308074be36ba7822608297dde1eacf1aa483244152e9243f
Instruction Fuzzy Hash: 8C82FF74640219DFDB06EFA5D654B6E7B7AEB88300F104914F901373ACCB36AD89DB26

Uniqueness

Uniqueness Score: -1.00%

Function 02D2B0B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b81ee8077cd29d1fe290437ed4ef9091bd7ca1df6b56f7d443a44c29be4cfb
Instruction ID: b1cf03f99f1a526fce434cc3d59ee108d91f169ada318fb13e2c5cd4596d83b5
Opcode Fuzzy Hash: 43b81ee8077cd29d1fe290437ed4ef9091bd7ca1df6b56f7d443a44c29be4cfb
Instruction Fuzzy Hash: 4D524B34A01220CFCB15EF75D558A6DBBB2FB84309B64856AE4168F369DB71EC89CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02D2C060 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31551f897bc4cd43cfb9c8ddb86906d7a3f1439fa05afbd95fccb603388ecc34
Instruction ID: b9aacdb8bc1b01bb22836d9013943bc0a87b44eb6016291437dd9e762229b99c
Opcode Fuzzy Hash: 31551f897bc4cd43cfb9c8ddb86906d7a3f1439fa05afbd95fccb603388ecc34
Instruction Fuzzy Hash: 287106716017059FC356DB65CA5064BFBE2FF90304350CA2E844A8BB69EF72F94A8BC0

Uniqueness

Uniqueness Score: -1.00%

Function 02D2C070 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b616bee432fd2afa7bf559446389b45dee1755ec020c9518a2e92918b16d01b9
Instruction ID: f049bfe68d627c5b5c20d60e9f92cd55c50d4b494320728572582093dbccbcf0
Opcode Fuzzy Hash: b616bee432fd2afa7bf559446389b45dee1755ec020c9518a2e92918b16d01b9
Instruction Fuzzy Hash: EA71F4716017059FC396DB65CA5055BFBE2FF94304350CA2E844A8BB69EF72F94A8BC0

Uniqueness

Uniqueness Score: -1.00%

Function 02D2BB99 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20349cc209a1468037b7da86edb24cd8527a2919da2682ca0f30a95d2d925f7
Instruction ID: 3db048c45d1b90f171fca2469b8496b2bf6c575fbd903b589e8232533c3cab82
Opcode Fuzzy Hash: a20349cc209a1468037b7da86edb24cd8527a2919da2682ca0f30a95d2d925f7
Instruction Fuzzy Hash: C481D478601225CFCB12EB15E689A69BBB2FB44309B15C669E5258F32DD770EC8DCF40

Uniqueness

Uniqueness Score: -1.00%

Function 02D2385A Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d06e17aab253662d8ab2534d2e85ef05ba6a431cf41f298a44430cae073e0b
Instruction ID: dade989f7970c0a2e6bdd85cdefae4ecba12c26da9b113017d0f823d4aaaf47c
Opcode Fuzzy Hash: c9d06e17aab253662d8ab2534d2e85ef05ba6a431cf41f298a44430cae073e0b
Instruction Fuzzy Hash: 48613C34A10228EFCB44DFA5E994AADBBB6FF88310F104065F805A7364DB35EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02D25AA0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f33a40e7c98618e4d40102ef669612d986c86d20647630dc8b2014283bb096
Instruction ID: d04b49fa25406fa6f9de4d56c93063766731f504695689b4847c09c991daea83
Opcode Fuzzy Hash: a6f33a40e7c98618e4d40102ef669612d986c86d20647630dc8b2014283bb096
Instruction Fuzzy Hash: 15513B74B002168FCB48DF69D594E6EBBF6EF88314B5141A9E506DB365DB30EC05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D2C798 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39cd549a4c00c84bed46a21ea846d623b2aa4dae6c8a268793e085b56709bfa4
Instruction ID: 352c1b8bed41b56065bbef83b5ba7be68fa7b7cb97072e31f5e6f0f9b2ec5feb
Opcode Fuzzy Hash: 39cd549a4c00c84bed46a21ea846d623b2aa4dae6c8a268793e085b56709bfa4
Instruction Fuzzy Hash: 6A5101716007059FC366EF25CA4054AFBE2EE95304354CA6EC44A9B769EB36FD4A8BC0

Uniqueness

Uniqueness Score: -1.00%

Function 02D22850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66708dc4d978c4d62a1697d51194251f489fdce6ea885da4b9ab014f0164f6d9
Instruction ID: f3670bba2064caf55ecefec5fe2771547bdefe1b920e4ba4e8a920221f60470c
Opcode Fuzzy Hash: 66708dc4d978c4d62a1697d51194251f489fdce6ea885da4b9ab014f0164f6d9
Instruction Fuzzy Hash: 93411734A50218DFDB58DFA5D9849EDBBB2FF88344F104669E901AB368DB34A845CF20

Uniqueness

Uniqueness Score: -1.00%

Function 02D25A91 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2716f2b1084572b0d965782d3ecc05e0c4e6746efa2dc047d2056a9faaa0d78
Instruction ID: 1038e27eb2337b4ff242d9ab7db2eefe41c5c006e8c0348f8217d61f9af76d15
Opcode Fuzzy Hash: a2716f2b1084572b0d965782d3ecc05e0c4e6746efa2dc047d2056a9faaa0d78
Instruction Fuzzy Hash: E6415A75B002068FCB44DF69D994EAABBF5EF88214B5180A9E509DB336DB30EC05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D22842 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 215c357c7886d939b27aa722c6afeffc365ec27dbc434f22dbfbd5c76f45a069
Instruction ID: 972117f8e0d561840a176e5370c4be9acd20341699df7dd675e16656bf480826
Opcode Fuzzy Hash: 215c357c7886d939b27aa722c6afeffc365ec27dbc434f22dbfbd5c76f45a069
Instruction Fuzzy Hash: 38316F34950218DFDB48DFA5D9886EDBFB2FF88344F104629E901A7368DF349849CB20

Uniqueness

Uniqueness Score: -1.00%

Function 02D25308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4262c732039cca8ff00a0ead2dda379007a82cc670d1b5cba948016728c99105
Instruction ID: b1faa218ac14ea6f3e90ebbc557d66139cf689f7750f5f7381a5cacb8123dc7c
Opcode Fuzzy Hash: 4262c732039cca8ff00a0ead2dda379007a82cc670d1b5cba948016728c99105
Instruction Fuzzy Hash: 7641E834A002289FCB08EFA5E5949ADBBB2FF98315F508165F805AB365DB34AD45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D2B0A0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48616f865e8fb478f4ce299998985f3b7d5ca43643133a3b728ca3e52ba9a7ae
Instruction ID: 4bf53c921ed3a77003390513e870efc61ab0effa2146dcbac8490d345286e5d3
Opcode Fuzzy Hash: 48616f865e8fb478f4ce299998985f3b7d5ca43643133a3b728ca3e52ba9a7ae
Instruction Fuzzy Hash: 3331E170A002288FCB00DB69E9446ADF7F6FF95318F54852ED0169B3A9DB71AC09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D22C48 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f14290c6c224d69d3402915d48d17e9b45d58e488d1f3dd30686fe739017c2
Instruction ID: 149a181959eda3cd584e7f3460f4acbdae323a60b2c04ea44308c6df7c14c0d6
Opcode Fuzzy Hash: a0f14290c6c224d69d3402915d48d17e9b45d58e488d1f3dd30686fe739017c2
Instruction Fuzzy Hash: 7C413D7490021ADFCB44EF65D5846EEBBB5FF88314F104265F901AB369EB34A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D22C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2616169fd4322122533f26df3caad12946f52c735b8643424391e91395f3379c
Instruction ID: 842a1645cb97846bb6f85e25eb15fbca1068d654208bcdfc9c032489f7815e3c
Opcode Fuzzy Hash: 2616169fd4322122533f26df3caad12946f52c735b8643424391e91395f3379c
Instruction Fuzzy Hash: D5311D7490021ACFCB04EF65D5845EEBBB5FB88314F104265F405AB369EB34A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D25698 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5388f855b07923f728dbebf34d7bf34c121deb852b96c852d230e47a1b5eb80
Instruction ID: 90734b93d0ec182413f60114397e109c317a895feb8b5c15912293e071bce112
Opcode Fuzzy Hash: b5388f855b07923f728dbebf34d7bf34c121deb852b96c852d230e47a1b5eb80
Instruction Fuzzy Hash: 9B219E74B012149FC718DF29E598AAEBBF6AF8C604F644069E406E7360CF70EC05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02D2288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54e027e53abc97cbea2b5ef3dcc1d5181f9a5599d2852b81e7b12fd45411940
Instruction ID: 4a94f425bc2d365618ba092c15600f159f7d5917569480c43dcffb916377eaca
Opcode Fuzzy Hash: c54e027e53abc97cbea2b5ef3dcc1d5181f9a5599d2852b81e7b12fd45411940
Instruction Fuzzy Hash: DB31FC34A50218DFDB58DFA5E9846EDBFB2FF88345F14416AE801A7368DB359C45CB20

Uniqueness

Uniqueness Score: -1.00%

Function 02D24B70 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c0222dd76ca414c412c28cc58f51909789b2ccab74879658a1bfca77148370
Instruction ID: 7a8af25d893513f9f6e0c8eb84bb7e5accf87db366fda120bf9352aed0426421
Opcode Fuzzy Hash: d8c0222dd76ca414c412c28cc58f51909789b2ccab74879658a1bfca77148370
Instruction Fuzzy Hash: AE21B2312102055FC755EB79E98069EBBA6FBC0710B444A29D41A8B369DF70FD898B94

Uniqueness

Uniqueness Score: -1.00%

Function 02D2CEC0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb90926ae968ba2870c51323686d43b8ce1561f641d8974dc7d34383dd6d1335
Instruction ID: a2e780b7c1b128b18eceae323e55380260406fee6e555710e91d9d40f53e78ea
Opcode Fuzzy Hash: cb90926ae968ba2870c51323686d43b8ce1561f641d8974dc7d34383dd6d1335
Instruction Fuzzy Hash: 3C2178B1C152589FDB24CFA8C54979DBBF1AB48328F15805AE805A7380CB755D48CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D24B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb1f8cf4be5ccc4bf8976cd8baeb0bb7f8a82b94da2d20ac0e30044bb4ea8c8
Instruction ID: 3c8f391bc181fb48d536f0141f1d4ab8bdef05fb5e0dd07fa63cb71d6f7b00e6
Opcode Fuzzy Hash: 2fb1f8cf4be5ccc4bf8976cd8baeb0bb7f8a82b94da2d20ac0e30044bb4ea8c8
Instruction Fuzzy Hash: 7F2192302002065FC715EB69E980A5EFBA6FBC0750B408A29D41A8B36DDF70AD894B94

Uniqueness

Uniqueness Score: -1.00%

Function 02D2CED0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ce3b713040256cb3b4488add55fbea786f10e7d8c1038210047ffd89ddf2c1
Instruction ID: d899774a0c8e2299ed9c82dbcb603d6bb3bf44350de55df7e0e57519367c94b8
Opcode Fuzzy Hash: 26ce3b713040256cb3b4488add55fbea786f10e7d8c1038210047ffd89ddf2c1
Instruction Fuzzy Hash: D9217C70D15258DFCB20CF68C549B9DBFF1AB48318F11805AE805A7380CB759C49CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D25C41 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5373dd88f1a5d05723e044e4f226381f865e56ac5b47e4da7b486ccbd84634c
Instruction ID: be8ce098a7ecc92dfaf3c50579b6440dd74baef5628f67878fe281b04ec15baa
Opcode Fuzzy Hash: a5373dd88f1a5d05723e044e4f226381f865e56ac5b47e4da7b486ccbd84634c
Instruction Fuzzy Hash: 5621AC30A042988FCB15CBA8D598EDC7FF1AF49314F5900AAD441FB362DB359D49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02D22908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b75d821f5a9ee0ebf7c5d01b9420e3e73bf54709a9d425183f43901ece51b31d
Instruction ID: 03897b7578e8762d554f4e788611447d2eaab57d33826e59e5e3d034cff52afb
Opcode Fuzzy Hash: b75d821f5a9ee0ebf7c5d01b9420e3e73bf54709a9d425183f43901ece51b31d
Instruction Fuzzy Hash: 5321FC34D50228DFDB14DFA5D9849EDBBB2FF88344F10822AE81567368DB349845CF20

Uniqueness

Uniqueness Score: -1.00%

Function 02D25C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e15ad31af7f671d9ec29e2fc7ff316d3ebd7bfe8ba9e0eb05f95a3352d47d42
Instruction ID: 0a974c1d3c31fcbbfdcd394d10d18d00510b42d7d4d31f0647d264e54054f36c
Opcode Fuzzy Hash: 7e15ad31af7f671d9ec29e2fc7ff316d3ebd7bfe8ba9e0eb05f95a3352d47d42
Instruction Fuzzy Hash: 9D213835A002288FDB14DBA9D588FDDBBF1AF4C314F6410A5E505BB361DB75AD88CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D26888 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cab6dff8c330b896d68a1a31d457823feb9e99c5cb67c43ac59fecea95f9cb9
Instruction ID: 15c7663ca8bdb7b792718db66a1ac174cb2b363ddf13ba51214a4f660ce5ffaf
Opcode Fuzzy Hash: 4cab6dff8c330b896d68a1a31d457823feb9e99c5cb67c43ac59fecea95f9cb9
Instruction Fuzzy Hash: C8115E71D00255CFDB14DBA4CA487EDBBFAAF84308F14806AD405B7251DF799D09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D2296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a1f0efd89d6a060ad8ee5befe4b0dd63e10a0f0437c0998546f5eb87776e8d
Instruction ID: 9554e88acb4713fd9d3e8a1a65972e194f760e77627afb66c83c9c38f58283a5
Opcode Fuzzy Hash: 01a1f0efd89d6a060ad8ee5befe4b0dd63e10a0f0437c0998546f5eb87776e8d
Instruction Fuzzy Hash: 5B21C638940218DFDB54DFA9E9849DCBBB2FF88344F10426AE915AB368DB34AD45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02D241A2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc43fff173e4ed903a9a89c3c9d23b55f3e23106cb0102a3588636c0d705079
Instruction ID: 753272d3caeea3232a61e7f950cf5780a3ff87fc369cac43e5d03c78e00dd20c
Opcode Fuzzy Hash: ddc43fff173e4ed903a9a89c3c9d23b55f3e23106cb0102a3588636c0d705079
Instruction Fuzzy Hash: 39019C313092985FC38A67355C601AF7FBAEBD6650394009FD805D7395CE305C0983A9

Uniqueness

Uniqueness Score: -1.00%

Function 02D2C000 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf62acd86bfa3cdd0c1f82a9d953e88417157254beed932e5a729f3a6e639df
Instruction ID: c0e5a2b21be2d847b4a3688f2433d6c6e05d683f9a821f27d66c5aa1df6cc60c
Opcode Fuzzy Hash: bdf62acd86bfa3cdd0c1f82a9d953e88417157254beed932e5a729f3a6e639df
Instruction Fuzzy Hash: 6A0157303105658FCB50EB29E88499DBBB1FF84A18B1142A9E5058B37ACB71ED498B90

Uniqueness

Uniqueness Score: -1.00%

Function 02D232E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843192be538ffcd12567b5d382b7d081d3347abf832d7db257cb52ce30b6e848
Instruction ID: 06aa55d933d5853d9c479b9a5aba714080847d927b1a720838cfcdffe5d7c8e4
Opcode Fuzzy Hash: 843192be538ffcd12567b5d382b7d081d3347abf832d7db257cb52ce30b6e848
Instruction Fuzzy Hash: E6115B35A201089BCB88EBB5E8597DE7FB2EBC8305F44446AF80697341DF396805DF60

Uniqueness

Uniqueness Score: -1.00%

Function 02D25940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a620cd15592140ea477299a98a1dc726832fdb21d7016da87cc511283c33085b
Instruction ID: 6a86068b1abeb154de521a404c469c5ecbcfb2c35673ddbf70cb928ff1d68510
Opcode Fuzzy Hash: a620cd15592140ea477299a98a1dc726832fdb21d7016da87cc511283c33085b
Instruction Fuzzy Hash: 4D01F4767012208F8348AF6AF49889DBBA6FBD9661310417FFA05C7314DE31CC0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 02D22A80 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d460c227db6f831d3e0e249e422570e8df147ba8df65987bfc7a097fdfdcb4e
Instruction ID: 393c26162748660cd64f93f6ed98946f633e98ce39b5003a2232d2233e965d03
Opcode Fuzzy Hash: 3d460c227db6f831d3e0e249e422570e8df147ba8df65987bfc7a097fdfdcb4e
Instruction Fuzzy Hash: F1018F752107148FC350AF29C50899BBBF5FF94614B108A6ED55ADB368DF35EC088BD0

Uniqueness

Uniqueness Score: -1.00%

Function 02D232F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56989f1bdc37a9c5f97ce96d159b43bfb0880ada7e2943e05a7af5b4d9a3b482
Instruction ID: 9292ad4350eeab91b6ce896024961dc40d0a10406a1d2f9cf7532669836e2bfb
Opcode Fuzzy Hash: 56989f1bdc37a9c5f97ce96d159b43bfb0880ada7e2943e05a7af5b4d9a3b482
Instruction Fuzzy Hash: B8012935A202049BCB88EBB5E5596DE7FF2EBC8305F404469F80697381DF395805CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02D22A90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fb1a9c603253292cc22169bb7d047d02247a0d7d171cb7c6ecd63309228f0e
Instruction ID: 0e4391a45b33b61c3a75184dd1e9754ad72f82af4111667c314cfb42d68db658
Opcode Fuzzy Hash: 48fb1a9c603253292cc22169bb7d047d02247a0d7d171cb7c6ecd63309228f0e
Instruction Fuzzy Hash: 71F046B16406148FC350AF69C50889BBBE6FBA4614710896ED55ADB369EB35EC088BD0

Uniqueness

Uniqueness Score: -1.00%

Function 02D24237 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e64509fe900d267b6d1305ee0d285f32da872fc9b7b28bec9c79885c605ede
Instruction ID: 02e6b3f8b07c20eff5af7f60b55ce0c5821c96cdf581066138a771559b5396cb
Opcode Fuzzy Hash: f1e64509fe900d267b6d1305ee0d285f32da872fc9b7b28bec9c79885c605ede
Instruction Fuzzy Hash: 1DF027322101081BC318A629A9407FE7B5AEFC0A10F48023EDC0187758CE75BD4946C4

Uniqueness

Uniqueness Score: -1.00%

Function 02D26388 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b617289a23e118a268791fe71fd012697530f52a1d71e33f3ac9372dac26ee88
Instruction ID: 4a4ad54d7df58cb096a0b6eab7a5a74bfced497c4d469c25f375511462c07501
Opcode Fuzzy Hash: b617289a23e118a268791fe71fd012697530f52a1d71e33f3ac9372dac26ee88
Instruction Fuzzy Hash: 8BF0F6749043C99FCB42EBB8D9414EDBFB1DF97210B1442EED8449B2A7CA311E06D741

Uniqueness

Uniqueness Score: -1.00%

Function 02D2593E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd7bf5ff61f1af97b0ff97f0e2f329492f3af34ae55fab6f6ea9e0f95863471
Instruction ID: e201b2f847cd267c8dfab031cc4638aeddba9dcd613c13279187593c40a6bdc2
Opcode Fuzzy Hash: 7fd7bf5ff61f1af97b0ff97f0e2f329492f3af34ae55fab6f6ea9e0f95863471
Instruction Fuzzy Hash: 90F082BA7112209F8349DF6AE4D89A9BBA6EFD9665314817EF909C7314DF31CC0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 02D25610 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ba275d77987ab8da3f02348e61a97bf9c3ced9840ee5a088886f3422f81fc0
Instruction ID: f2795b72fa6c8659ffac4bcd8e42f6ecb4908519df3cde20b15d7a8972550ed0
Opcode Fuzzy Hash: f7ba275d77987ab8da3f02348e61a97bf9c3ced9840ee5a088886f3422f81fc0
Instruction Fuzzy Hash: 30E0DF2241E3C00FC3460B286C9A1D03F32EDA316432D41D288848B227E82A581B8745

Uniqueness

Uniqueness Score: -1.00%

Function 02D26398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a86dc6f0fe131eabfc62ccd6943d7c040515cd2632b87c5b2def05bb254307e
Instruction ID: 05bfbfa7aeed9b72f9e67b668d26da5c927690c673b97a4b594dfbd1bdacc5a0
Opcode Fuzzy Hash: 4a86dc6f0fe131eabfc62ccd6943d7c040515cd2632b87c5b2def05bb254307e
Instruction Fuzzy Hash: A1F08C74E0024DEF8B80EFA8D9809ADBFB1EB98200F5041ADA808A7358EB305E049B50

Uniqueness

Uniqueness Score: -1.00%

Function 02D22D92 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97c15b9b17b6ecd5f51365ea5168c6b32f7dfd4e3e6757bb6d93f105d1cfd88
Instruction ID: a61859ffc6bc0fe3248ab974a438c7494102116c13ffeae9caeb15a4c43e4d11
Opcode Fuzzy Hash: b97c15b9b17b6ecd5f51365ea5168c6b32f7dfd4e3e6757bb6d93f105d1cfd88
Instruction Fuzzy Hash: 67F05835E100188F8B84EFA884096E9BBF4EB88300B1080AAD919E7710EB708E018B91

Uniqueness

Uniqueness Score: -1.00%

Function 02D21FF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5feb1f997c2cc6d0dd42ec530d39e8570d5f213a2adaabce8400b97338f2e308
Instruction ID: e880e8a544114efdeb3223782081a12e4f84bbe0b8d8f37ed207a5dea088a9d0
Opcode Fuzzy Hash: 5feb1f997c2cc6d0dd42ec530d39e8570d5f213a2adaabce8400b97338f2e308
Instruction Fuzzy Hash: 87E0263A3102184FC78857BDD81CADA7FEDEBC4221B00056AF406C7320DD30DD0182A0

Uniqueness

Uniqueness Score: -1.00%

Function 02D22DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a340a1b90d3d07bed6bc8133578806f927ca59d0a4803dccadf9c3f0db324722
Instruction ID: 3fea20f14bcf901b7363c5fd533dc16bf21fafb8384b19744798e80b0694df15
Opcode Fuzzy Hash: a340a1b90d3d07bed6bc8133578806f927ca59d0a4803dccadf9c3f0db324722
Instruction Fuzzy Hash: B2E06D71E101188F8B84EFBCC4046DEBBF4EF48310B1040BAD509E7310EB709D008B91

Uniqueness

Uniqueness Score: -1.00%

Function 02D237EE Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818408e1b68443623c83b22cedad3ae31ae2cf3dd3bf549a1519ed5d1bcce39f
Instruction ID: 2afdfa0625998af7481c41e3610f665672c646a8bac6aa6b764f7bd8579262ad
Opcode Fuzzy Hash: 818408e1b68443623c83b22cedad3ae31ae2cf3dd3bf549a1519ed5d1bcce39f
Instruction Fuzzy Hash: C7D02B7370012057CB1895AA6905AB6339F9BC8221B084126FA05C7354EF658C014390

Uniqueness

Uniqueness Score: -1.00%

Function 02D22008 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a289e2d510cb6c01151b07dbb99d7261ca64a1e3b493b6e920a54ad8c5702ac
Instruction ID: c1671ad3ea0b524f363dbdba3b72279eaabd5ca45994439d6cf97732f47d589b
Opcode Fuzzy Hash: 0a289e2d510cb6c01151b07dbb99d7261ca64a1e3b493b6e920a54ad8c5702ac
Instruction Fuzzy Hash: A5D012357102145FCB5856BDD41889A7BE9DFC9621301046AF507C7320DD71DC0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 02D266C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc5400b24545b6dfc16a15017cb1b6ae0615050c7f6f06b938fea006121cf88
Instruction ID: 4e0aa0e593de907438e3f0287d95edfb12c2bc4e60d1b28a0720b33e7aa28db4
Opcode Fuzzy Hash: 7bc5400b24545b6dfc16a15017cb1b6ae0615050c7f6f06b938fea006121cf88
Instruction Fuzzy Hash: FDD0A7313162A00B83862AAC74A00D86FEACECE59034C01FBF905DB356CE559C176351

Uniqueness

Uniqueness Score: -1.00%

Function 02D26469 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50566d2c1628d4aeb09c3d9549e221bf3a1e43d9752b36388f9042df7b920d2
Instruction ID: 811dea69bc049e27c7521125a483169e0bda6560b58dad868fde975cd422eea6
Opcode Fuzzy Hash: e50566d2c1628d4aeb09c3d9549e221bf3a1e43d9752b36388f9042df7b920d2
Instruction Fuzzy Hash: A4D05EB41682444FCB4896208AEB5A67F32EF4035134544F6C0198B17AD91AC846CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02D2CFFE Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1624e98a8347a96d09f062805195e592729866fa5773bb3761c5b20c31f678dd
Instruction ID: 09b806e1315c22beff0e93115b1e27321f53ecf88e58b54502c709bb88fcbc9e
Opcode Fuzzy Hash: 1624e98a8347a96d09f062805195e592729866fa5773bb3761c5b20c31f678dd
Instruction Fuzzy Hash: BFD0A73801F21087EF20061193093743D525FD032EF24C02AB44A067A4CBF6C4CEDF21

Uniqueness

Uniqueness Score: -1.00%

Function 02D26478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679adda759abd2d126d323d2be015db8441d17bb492889b47c2824357f01906d
Instruction ID: fe23b101209debb35fc55cd12e06539191fd44f3e533c474bbd168753cc02954
Opcode Fuzzy Hash: 679adda759abd2d126d323d2be015db8441d17bb492889b47c2824357f01906d
Instruction Fuzzy Hash: 9CC012783402044F8304DB5CD08081577EAEBCC71031001A9F519CB33DCE20EC818618

Uniqueness

Uniqueness Score: -1.00%

Function 02D2CAA0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e23468ee3a87f3cf118bd156ffd31125a74ab35eb3b85d181eea09c6bbb8d4
Instruction ID: 40c80ea3ee4c19bc894e3af158cfca2934995e5d30da85d7e5a920e630fa615a
Opcode Fuzzy Hash: a9e23468ee3a87f3cf118bd156ffd31125a74ab35eb3b85d181eea09c6bbb8d4
Instruction Fuzzy Hash: F8C04CB296D3D11BEA034A744A953447FB09B27522F0A00C2E088C919695544806C725

Uniqueness

Uniqueness Score: -1.00%

Function 02D25640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2557779631.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4cfda442d94df0e5c32694c578da2776c512d6c8e3a2ac8a3bd59acc6a1f2b
Instruction ID: 2713c3651e686735319e1d1ec2c92cf35b532e8b1dfd1d5a61bac804aa73be00
Opcode Fuzzy Hash: dd4cfda442d94df0e5c32694c578da2776c512d6c8e3a2ac8a3bd59acc6a1f2b
Instruction Fuzzy Hash: F1B02B3011020D5786040917BC0D8113F1DFB9001D3400194BC0840200AE23CC144080

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 6400, Parent PID: 7924COMMON

Executed Functions

Function 00A54F58 Relevance: 7.9, Strings: 6, Instructions: 391COMMON

Download Yara Rule

Strings

(oq, xrefs: 00A55082
(oq, xrefs: 00A551F9
(oq, xrefs: 00A551CD
(oq, xrefs: 00A55056
(oq, xrefs: 00A555A3
(oq, xrefs: 00A555CF

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq
API String ID: 0-3333285191
Opcode ID: 31e922283f8f8a562d2dc8af5270aac632f658de2bcf28e51606d5c3c16efade
Instruction ID: 21f9e3ffadb9d390c84e138c4ffbb627073a4a0e8587829c95dc84ab6862fd5e
Opcode Fuzzy Hash: 31e922283f8f8a562d2dc8af5270aac632f658de2bcf28e51606d5c3c16efade
Instruction Fuzzy Hash: 8BE16C34E006188FCB04EF79D5646AEBBF2FF89311F248169D805AB395EB349D46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A51049 Relevance: .8, Instructions: 843COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6a0740c727973da8c3616a3021247d2f1f8e0a6071c3b9beea273abda2e280
Instruction ID: 0dd3c840fa7be0af44ebfcb6f9a495829d98b333fb6e07e3c347109ee850be0d
Opcode Fuzzy Hash: 4e6a0740c727973da8c3616a3021247d2f1f8e0a6071c3b9beea273abda2e280
Instruction Fuzzy Hash: 6082B574640209DFDB06EBA4D664B6E7B77EB88310F205814E801337ADCB36AD95DB36

Uniqueness

Uniqueness Score: -1.00%

Function 00A55640 Relevance: 4.0, Strings: 3, Instructions: 215COMMON

Download Yara Rule

Strings

(oq, xrefs: 00A5589B
(oq, xrefs: 00A5586F
(oq, xrefs: 00A55655

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3965398577
Opcode ID: b0149527b73bc3b980a518a398ba9b7ce05ba2c6a88bc6214b05c6eab0c22a1e
Instruction ID: 21bd288417a51007f96ba300a4f3e07d667195f372f6d9e8dbc952c182ec41d8
Opcode Fuzzy Hash: b0149527b73bc3b980a518a398ba9b7ce05ba2c6a88bc6214b05c6eab0c22a1e
Instruction Fuzzy Hash: EA817B74B046049FC704DF79D568A6EBBF6BF89301B2580AAE806E7361DB70DC05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A53750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON

Download Yara Rule

Strings

(oq, xrefs: 00A53786
(oq, xrefs: 00A53820
(oq, xrefs: 00A537B2

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3965398577
Opcode ID: f4c18f291169fcf36d9e75a9a9732136280ac89a0add9e841ab41f0e72c95cd1
Instruction ID: 5ecac2be9cd3c4f7d39d27371105e72dcc54460e74436782e6f30f133c2fec3c
Opcode Fuzzy Hash: f4c18f291169fcf36d9e75a9a9732136280ac89a0add9e841ab41f0e72c95cd1
Instruction Fuzzy Hash: B7217D36B081985FD7196739541423F3FEBDFCA350319816AE806C73D1DD288D078395

Uniqueness

Uniqueness Score: -1.00%

Function 00A53BE0 Relevance: 3.0, Strings: 2, Instructions: 465COMMON

Download Yara Rule

Strings

(oq, xrefs: 00A5419C
(oq, xrefs: 00A53DE5

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq
API String ID: 0-3207256227
Opcode ID: 13a9dc805f024bc043dae0150d48a4375a0f75f4e8f6950606283aa28b39d9bd
Instruction ID: 37b4039c47bb603655e38e9eb2f02c242e08a08a657279cab7c0189d27ce2a21
Opcode Fuzzy Hash: 13a9dc805f024bc043dae0150d48a4375a0f75f4e8f6950606283aa28b39d9bd
Instruction Fuzzy Hash: BEF16C35B002049FDB05EB68D954B6EBBFBAFC9340B148469E806EB3A9DE35DC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A5385A Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

(oq, xrefs: 00A53BA1

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: 55aa6c32d87602d4bd3498d4e454a527c9904b187aa634c4fa88e28afe7f2561
Instruction ID: f36d202fe925c35239965f7edb31ccc2357d2d315317af5fcbd033728f087472
Opcode Fuzzy Hash: 55aa6c32d87602d4bd3498d4e454a527c9904b187aa634c4fa88e28afe7f2561
Instruction Fuzzy Hash: 4DC15E35B00218AFDF05DBA8D954AAEBBF6BF88350F108029E805A7368DB35DD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A535E1 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

(oq, xrefs: 00A536B6

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: c038a2e80dc3f87a6540351017a31193033937814ca28c5d6fb8051d1e5cf400
Instruction ID: 2cde91b06d9946d258b35c4c98ad8782172da0a35db416c1812d21ebbe80668b
Opcode Fuzzy Hash: c038a2e80dc3f87a6540351017a31193033937814ca28c5d6fb8051d1e5cf400
Instruction Fuzzy Hash: 5B4116323041041FD715BB79996062FBBABEFC53503688479E806CB369EE34ED4B8391

Uniqueness

Uniqueness Score: -1.00%

Function 00A5BEAF Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

Tekq, xrefs: 00A5BF75

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 866bd417bd4f0d135d28e5a9e27c92b23b69ec48283828d5d7ee10f0938e1e09
Instruction ID: ab3f754f8a822d3da4d1e1644b383a9d32a060cf8439ea83741d33b8f04fe547
Opcode Fuzzy Hash: 866bd417bd4f0d135d28e5a9e27c92b23b69ec48283828d5d7ee10f0938e1e09
Instruction Fuzzy Hash: 89416E747006009FC754EF79C599A6EBBE6FFC9710B2580A9E506DB3B6CA71EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A5BEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Tekq, xrefs: 00A5BF75

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 5c57fd3f8f73e66bc2316867c281d97476c4657a5d82f7cbf5b53a284bababe6
Instruction ID: 7cac4a6537dd953fa14f934870e5fbade541863a12b0eec24a500a26bf0f8447
Opcode Fuzzy Hash: 5c57fd3f8f73e66bc2316867c281d97476c4657a5d82f7cbf5b53a284bababe6
Instruction Fuzzy Hash: 72415C347006109FC754EF69C599A6EBBE6FF88710B6580A9E506DB3B5CA71EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A52B10 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

LRkq, xrefs: 00A52B35

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: b19e0a030b88382bf0f03d38ea30f8e52720d9ff5e0ccc42e5b2d6e4b93bec2a
Instruction ID: 546d4e0faf7290f13012dc72b07732949985bd190d91facd621975d370439a3d
Opcode Fuzzy Hash: b19e0a030b88382bf0f03d38ea30f8e52720d9ff5e0ccc42e5b2d6e4b93bec2a
Instruction Fuzzy Hash: 5831EA34B002058FD71AEB35D554A5E33B6EF8AB15B2195A9D10ACB3B8DE35DC438B84

Uniqueness

Uniqueness Score: -1.00%

Function 00A54237 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

(oq, xrefs: 00A54295

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: 53301a02297f761b1fd42f0e42ee270a0727834843e28ffa309fc18a67306822
Instruction ID: 73147afc4323a3f4e314928a64770334979b89cc7b457765230eb9b43f52b806
Opcode Fuzzy Hash: 53301a02297f761b1fd42f0e42ee270a0727834843e28ffa309fc18a67306822
Instruction Fuzzy Hash: 71217B357081501FC305A77968602AE7BA6EFC622075444AFD445CB345CE25AD4A8394

Uniqueness

Uniqueness Score: -1.00%

Function 00A51058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53190ab5e23b77507ebe3e88a3b46ae6e49dd8aa55e0a2dad82ad333995c2d56
Instruction ID: cdda36b6c493f2d1838a4cb0c41f2c5e526815d0f67b7ca0da1abcb9a4ca82f0
Opcode Fuzzy Hash: 53190ab5e23b77507ebe3e88a3b46ae6e49dd8aa55e0a2dad82ad333995c2d56
Instruction Fuzzy Hash: BD82B574640209DFDB06EBA4D664B6E7B77EB88310F205814E801337ADCB36AD95DB36

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B0B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9240faf38758b5e65bd90e88b8e2846252e98000461e377206e5c2173b4dd6
Instruction ID: 66705d4db9e62ccff6d6e0914d52b2053e0a7780b548a21e92d1e6a4dbe9b888
Opcode Fuzzy Hash: 3f9240faf38758b5e65bd90e88b8e2846252e98000461e377206e5c2173b4dd6
Instruction Fuzzy Hash: 5A525B34A11200CFD71AEF34D558A6D77B2FF88312B618568D8169B3AADB35EC85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A5C060 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4849a62e6e85255d3352a58d16363832479637bd09c864ced0eb6db2f6f21eda
Instruction ID: 80f9b87e0aa62739b5b9a11e9856821003b524f222bd74ff6c332f211827ed62
Opcode Fuzzy Hash: 4849a62e6e85255d3352a58d16363832479637bd09c864ced0eb6db2f6f21eda
Instruction Fuzzy Hash: DA7108716406049FD355EB24CA5059BFBB2FF80314754CA3E844A8BB69EF72F94A8BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5AF90 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3cd0bf43108a459f48bd05999f0bf542212b0a37c2969c1aaf6e40329446900
Instruction ID: 22d3424b0baa8791e647938d57a6eb6ecedbd17bdfee8088ec8dbfb16c4e6eb7
Opcode Fuzzy Hash: e3cd0bf43108a459f48bd05999f0bf542212b0a37c2969c1aaf6e40329446900
Instruction Fuzzy Hash: F651C17191E3D45FD703AB3899701897F71AF83214B0641EBC095CF2BBEA64994CC7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00A5C070 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8afb5085ac0a3d21400800b2155b49985b79aa436913c83cc495cb8ac1fb2e89
Instruction ID: 1d9298c82208235b25cec06bc54c137c6319d10034ec833aa511fda4cc625d58
Opcode Fuzzy Hash: 8afb5085ac0a3d21400800b2155b49985b79aa436913c83cc495cb8ac1fb2e89
Instruction Fuzzy Hash: 127108716406049FC355EB24CA5059BFBB2FF80314750CA3E844A8BB69EF72F94A8BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5BB99 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7b4f46ebac6963cdd46bf82fa49a9cac593137c5ededc9cda5da6b5844abc4
Instruction ID: b7c55c982ffd8febf7a5e79c4c730832d339e4aa606489bc6783f49817bd6566
Opcode Fuzzy Hash: be7b4f46ebac6963cdd46bf82fa49a9cac593137c5ededc9cda5da6b5844abc4
Instruction Fuzzy Hash: 2381D578A11201CFC716EB18E689D59BBB2FF44316B25E568D9058B32DCB70EC89DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A55A91 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4de2bab4f59707d3370b5e03e0eab469a19314c784eea8dbd95f72556e9970
Instruction ID: b78f2334cc928bfa4674c5a99431c22dc50943d957bb964c8b6d5a3fbdba46dc
Opcode Fuzzy Hash: 7f4de2bab4f59707d3370b5e03e0eab469a19314c784eea8dbd95f72556e9970
Instruction Fuzzy Hash: 87511974B006068FCB04DFA8D5A8A6ABBF5FF89311B1141A9E905DB365DB30EC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5C798 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97851bebc7592371ec4275bff9ca8f2088f0f9e3a6171f32a8c9d6ec6e8ac57e
Instruction ID: f6cf7685450258c8646a736ce5d70a269de0366326511bf8417713efc3cb7399
Opcode Fuzzy Hash: 97851bebc7592371ec4275bff9ca8f2088f0f9e3a6171f32a8c9d6ec6e8ac57e
Instruction Fuzzy Hash: AE51F571640700AFD355EB74CA4158AFBE2EE85314350CA3ED44A9B769EF31FA4A8BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00A55240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71e58db937d44c67aa2bf209ddd0b706584c0471df08d31381ba7f3216d6b38
Instruction ID: d3a87dcb1d75a9f5e3510562049e47cdc61af48abbb88561a2b51dcedf882b4d
Opcode Fuzzy Hash: f71e58db937d44c67aa2bf209ddd0b706584c0471df08d31381ba7f3216d6b38
Instruction Fuzzy Hash: AA512A70E00618DFCB14DFA5D5A4AADB7F2BF88312F248069E805AB264DB74AC45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A5C7A8 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15302111e17dca6144491a491da47a3ea4da42f885f37640c09f9be4836f5dd5
Instruction ID: a03cae1584ca002bc3b693a4fa356e789a8637d128e9a640998ece66b6f1c03d
Opcode Fuzzy Hash: 15302111e17dca6144491a491da47a3ea4da42f885f37640c09f9be4836f5dd5
Instruction Fuzzy Hash: 0151E5716407009FD355EB64CA4154AFBE2EF85314354CA3ED44A9B769EF31FA4A8BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00A52850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c87bfa1f85e22e05a7205297b153691660f184aa76e28af6424aedd0b7428e
Instruction ID: 1eac526964083358e2c2574a95204b6ffccaee7085defe202161be7b4612a89d
Opcode Fuzzy Hash: 71c87bfa1f85e22e05a7205297b153691660f184aa76e28af6424aedd0b7428e
Instruction Fuzzy Hash: 8E411575E40208CFDB14EFA4D984AADBBB6FF89341F245529D901A7368EB319845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A52842 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e25d56637b2abf34f3811996ad137f6a3266b79a6a99248bb758d0ed9b937e4
Instruction ID: bcedb3ca3156b51291fb98e778d665e2e0229be67b7b8d02a6da2ac15c395ed1
Opcode Fuzzy Hash: 2e25d56637b2abf34f3811996ad137f6a3266b79a6a99248bb758d0ed9b937e4
Instruction Fuzzy Hash: 9C416771E40208CFDB14DFB4D5947EDBBB6FF89341F245529D901A7268EB359889CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A55308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525c3c509167135e235cdc3e6ac73fc49bd0cb44425603998674dd17c3a2b9e8
Instruction ID: e2e858e94c9211275bbda7be2721c6c0ec666d4dfb5bbda7bd8e01ac3aeff22e
Opcode Fuzzy Hash: 525c3c509167135e235cdc3e6ac73fc49bd0cb44425603998674dd17c3a2b9e8
Instruction Fuzzy Hash: 8F410975E015149FCB04EFA5E994AADBBF2BF88312F249065E806A7368DB349C45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A52C48 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd82fd65a6b360b131bb9178b29a35861ead83a7528fba63931b3cf781e09160
Instruction ID: fd3047e67a8b6fbf0a2653f21b4fb87d6e473df52dbc157ad2f100bc54429381
Opcode Fuzzy Hash: bd82fd65a6b360b131bb9178b29a35861ead83a7528fba63931b3cf781e09160
Instruction Fuzzy Hash: D741397490420ACFCB01EFA8D584AEEBBF6FF49310F105565D801A7369EB31A985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A56388 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48807ba1e105cca2f0fae0586876cfcfe32cec9c59b0b99323a68b2a95f2d0f4
Instruction ID: b45ecca353453bbbcc79b937ec4a5867f4842c8fb0874947390a6cd22b63748e
Opcode Fuzzy Hash: 48807ba1e105cca2f0fae0586876cfcfe32cec9c59b0b99323a68b2a95f2d0f4
Instruction Fuzzy Hash: 73210830D89189AECB01AB6C6D606EDFF61FE57302B8548F5D8888711DD53085DAC759

Uniqueness

Uniqueness Score: -1.00%

Function 00A5B0A0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0904aeda098e4cf91f2e8575ea8ffcb67c2dc3abe4c65e540ab5e7fc33a4c6f
Instruction ID: ca02526c14e1221432e162831c2a309668c7bea80a913c7f92eb497af18efee7
Opcode Fuzzy Hash: d0904aeda098e4cf91f2e8575ea8ffcb67c2dc3abe4c65e540ab5e7fc33a4c6f
Instruction Fuzzy Hash: 4D31F430B102049FDB01EB78D9646ADBBB6FF84310F50852DD416AB3A9DF71ED498B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A52C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77ce86cdf8e6fde3a88d552f2d5120ff94fdb255df41e0d355e0b259a13ef9d
Instruction ID: cda73409b756cbaad1aeab5f8697346beb3fb74c0c58ae48d2b60c54516383eb
Opcode Fuzzy Hash: a77ce86cdf8e6fde3a88d552f2d5120ff94fdb255df41e0d355e0b259a13ef9d
Instruction Fuzzy Hash: 2D31197490020ACFCB04EFA8D584AAEBBF6FF88310F105524D805A7368DB71A994CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A5288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c059f2e0074bd657394cf1903c448bf5a31cab35498e80a221f5ba7457a3a5
Instruction ID: f31fd3d36bbead429b2781678d42276549df8793d75dc74e1f2a12ff2541e0f8
Opcode Fuzzy Hash: c8c059f2e0074bd657394cf1903c448bf5a31cab35498e80a221f5ba7457a3a5
Instruction Fuzzy Hash: B0313875E50208CFDB14EFA4E9847ADBBB6FF89341F245429D901A7268DB319885CF20

Uniqueness

Uniqueness Score: -1.00%

Function 00A54B70 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b615cc9ade17717a7f94ad757eca6077262ffa099057b03b33f77cd3044442ef
Instruction ID: 1cf4b650c79f94fa21c6699ac69d1bab2a9e7869d3e2acaba84f1c5878bf274f
Opcode Fuzzy Hash: b615cc9ade17717a7f94ad757eca6077262ffa099057b03b33f77cd3044442ef
Instruction Fuzzy Hash: 222192302442415FC715FB78E990AAEBBA6FFC1310B448E79D4168B369DF70F9898B94

Uniqueness

Uniqueness Score: -1.00%

Function 00A5CEC0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a529fc1530c1f8dc07eefdb24508c43d0d3ab6cf0c779d469df3dd699481ca46
Instruction ID: 638e1d71befdde5bf7e7a24dfb0afa30f676c8793f71db4e168292a51907a8c6
Opcode Fuzzy Hash: a529fc1530c1f8dc07eefdb24508c43d0d3ab6cf0c779d469df3dd699481ca46
Instruction Fuzzy Hash: DC214875C00348EFDB11CFA8D4587DDBBB6BB48324F20846AE805A7344CB7A5948CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A54B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d84e0a5c40cd6fd621a930a42bb544f81e1a77c94ff683c8f419baf24d6257d
Instruction ID: c3fd4bbc2d2b35b166585e3bf2e39f9e467d2d5ad188aa28893b2760cecd4d49
Opcode Fuzzy Hash: 2d84e0a5c40cd6fd621a930a42bb544f81e1a77c94ff683c8f419baf24d6257d
Instruction Fuzzy Hash: 792181302042015FC714FB79E990B6EB7A6FFC0310B448A39D4168B369DF70BD898B94

Uniqueness

Uniqueness Score: -1.00%

Function 00A5CED0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec5f0adbf0ab36891ba4d2364c6187ff92869cc08549df5c9e17bb813225036
Instruction ID: 2b571ffc6559cc69f577007d0da79011bfcf9f6dfd0eec6cd57d9a0a5eef6147
Opcode Fuzzy Hash: aec5f0adbf0ab36891ba4d2364c6187ff92869cc08549df5c9e17bb813225036
Instruction Fuzzy Hash: DB212674900348EFDB11CFA8D558B9DBBF6FB48324F24845AE805A7344CB799949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A52908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08809ba53b32a2df203119329b9a308848ccf8e69d2b3b7d959a965330a2265e
Instruction ID: 5b439784ac590d75346885b3f266be496258ec33c6c78fe6383ad175cf55e629
Opcode Fuzzy Hash: 08809ba53b32a2df203119329b9a308848ccf8e69d2b3b7d959a965330a2265e
Instruction Fuzzy Hash: B6211275E00208DFDB14EFA8D990AADBBB6FF88341F14912AD911A736CDB309845CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A55C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95760a22ad1406ffa7bf6c3e3583d70a3072f9e24097ecbee43ff66744d90966
Instruction ID: ab64b0bb66d64b7ee51a1e2dda4a0d7836b2bf77114db1c2513c63040b5aafcd
Opcode Fuzzy Hash: 95760a22ad1406ffa7bf6c3e3583d70a3072f9e24097ecbee43ff66744d90966
Instruction Fuzzy Hash: 19212736E002188FDB10CBA9C598ADDBBF1BF4C311F2400A5E905BB360DB75AD84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A56888 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75682c2417e774accf6a364a7157c6d1434a46e3ce378018cb9169a6f1db2fd
Instruction ID: cad9cd181d3b2c72685d453065395408ae10e38e40fb1b2a222cd8e394d7c368
Opcode Fuzzy Hash: d75682c2417e774accf6a364a7157c6d1434a46e3ce378018cb9169a6f1db2fd
Instruction Fuzzy Hash: C4218131A00245CFDB10DFB4CA487EEBBF1BF45306FA4846AD805AB262DB764D49DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A5296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089860b73e36af2834092bbfe91a3c60e54a49c12efec1dc2e7a1087a613be75
Instruction ID: 419c83813ac0b131c34f58e3b482b442ab0b4e39344019ff52dff0829bed0ca3
Opcode Fuzzy Hash: 089860b73e36af2834092bbfe91a3c60e54a49c12efec1dc2e7a1087a613be75
Instruction Fuzzy Hash: 0B21A875D40208DFDB14DFA4D590A9DBBB6FF89301F245129E905A7368DB309D45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A55C5B Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21f862fa67158cdeac30a4a9095e6b02001628919f8a656692d79d9fa90c624
Instruction ID: 5949db28c2995769a17b4e7f0a363654b5ad8072fb199fbb4677335ff9426aa7
Opcode Fuzzy Hash: a21f862fa67158cdeac30a4a9095e6b02001628919f8a656692d79d9fa90c624
Instruction Fuzzy Hash: 7B213831E002588FDB14DBA9C598BEDBBF1BF48311F2400A9E801BB261DB759D85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A541A2 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5911e47d3c251637ae33f005b2231a32ad42923a744303a8635814e3fc72309b
Instruction ID: 1364f50752663b700ed70d4c9a5a071c57e06aeecd358edfaf38c58d9219e159
Opcode Fuzzy Hash: 5911e47d3c251637ae33f005b2231a32ad42923a744303a8635814e3fc72309b
Instruction Fuzzy Hash: 6A01F93170C2846FC306AB7958702AF7FAAEFC622075544ABD401D7246CE255D06C765

Uniqueness

Uniqueness Score: -1.00%

Function 00A532E0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3bec1bb15044b9dd6e0c5014bad8b6c1e3571e06bd256097e191117c30f1ea
Instruction ID: 60b547d07fcb34e8d6763a4bc337a400a764ff3106e3c2bbc51b60d1e6567912
Opcode Fuzzy Hash: 9f3bec1bb15044b9dd6e0c5014bad8b6c1e3571e06bd256097e191117c30f1ea
Instruction Fuzzy Hash: 4611CE74E802048FCB04EFB8E559B9E7BF6AB8A301F404839D842D7285DF345865CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A5C000 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b321a199b6c6b1e41eba82ea1ee886f3866527a5b589640615f53e086f435c44
Instruction ID: 2eda833fa31cb9f1a152a647f5f812903fd8b8460ef595824acb9b75993dcd54
Opcode Fuzzy Hash: b321a199b6c6b1e41eba82ea1ee886f3866527a5b589640615f53e086f435c44
Instruction Fuzzy Hash: 4B019A303506058FCB40EF28E994A99BBF5FF84715B5085A9E505CF37ACB71ED098B80

Uniqueness

Uniqueness Score: -1.00%

Function 00A52A80 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e653364a89693f64f29a1acafb5a13500989b4ddc7a8e2f68330ebd5f7ae3c9
Instruction ID: ee58b28a07852cf6ad3f596a5c731adad0068c812cea62682b8eaaa5a8642d96
Opcode Fuzzy Hash: 7e653364a89693f64f29a1acafb5a13500989b4ddc7a8e2f68330ebd5f7ae3c9
Instruction Fuzzy Hash: A4014C752442004FC312EF38C54599BBBF5EF8661471089AAD196CF3A6EB74EC058BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00A55940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c7d5cd1121fc72a275e05e480a6a3540cbf6a0c5b8998e0afe55bfa7fe833d
Instruction ID: 0c8aad02b20fc7521324a0ee1a08b7ec512f5144134dd669d8fa0f24ea4ed2d4
Opcode Fuzzy Hash: 89c7d5cd1121fc72a275e05e480a6a3540cbf6a0c5b8998e0afe55bfa7fe833d
Instruction Fuzzy Hash: CA01A4B67001149F8704EF79E49496EB7AAEBC9761310853AEA06C7310CE31DC01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A55931 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7df012f08053ee88ba6832a413cc5d79d77a18a1ea521f2bbf5aa41153b3117
Instruction ID: 5c003e2d26f630c2a419291a781ce9340a737e26bdc61e30c89fa3a3014be746
Opcode Fuzzy Hash: e7df012f08053ee88ba6832a413cc5d79d77a18a1ea521f2bbf5aa41153b3117
Instruction Fuzzy Hash: 1801F4713053009FC301AF79D4A4959BBFAEFCB36131484BAE505C7351DA319C41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A532F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8edc9d9354acf2f02f644e16cbb4e044b7083dfe01140d02d9ad988301c1a9b
Instruction ID: 7eae851cd95d6a342b814c014dc42c9ac39286e30d9e54b17a8db2655d651798
Opcode Fuzzy Hash: a8edc9d9354acf2f02f644e16cbb4e044b7083dfe01140d02d9ad988301c1a9b
Instruction Fuzzy Hash: 0D014C75E402048FDB04EBB8E55979E7BFAAB89302F004839D803A7384DF755824CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A52D92 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56993ea8b98866b96e89e8f63686f036243d46b7f140562fefd5272bfd87d631
Instruction ID: 3227f8ced34f793f969463a1ba713d4bfd4eae90b0240665012b09f716247187
Opcode Fuzzy Hash: 56993ea8b98866b96e89e8f63686f036243d46b7f140562fefd5272bfd87d631
Instruction Fuzzy Hash: 23F05831E100188FCB84EFACC5457DDBBF0EF8A310B2184BAD509EB212E6308A118B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A53821 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17f0bab629ed76c34465802ce65e45b357ef9947ac5666cbcd4b57e4708bc7d
Instruction ID: b4e9a282be7c0d41e1729fa450a289dabf88fdfa36ff8816a6a8c1dddf82d396
Opcode Fuzzy Hash: b17f0bab629ed76c34465802ce65e45b357ef9947ac5666cbcd4b57e4708bc7d
Instruction Fuzzy Hash: 34E092223491948FC6061B79547817D3F66EBD2721B1442A3D815CB2C6CE66490B8355

Uniqueness

Uniqueness Score: -1.00%

Function 00A56398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc0467b953ad3ed5cf4a259a841a21130b28dbbf0a52d821bc127149c8679a5
Instruction ID: 79498eb88c4b71dd50f82d3a8accebb3d32f18ee049f766604ce9da91eb2674c
Opcode Fuzzy Hash: 0dc0467b953ad3ed5cf4a259a841a21130b28dbbf0a52d821bc127149c8679a5
Instruction Fuzzy Hash: FBF01274E0420CAF8B40EFB8D951A9DBBF5EF84201F5045A89804A7754EA306F449B55

Uniqueness

Uniqueness Score: -1.00%

Function 00A51FF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eef5c45cf981fedad435667352776c253f65e39754a5f3243b223faa79de56e
Instruction ID: b994595ce30d23dd0a3c067192050777ce318ec43d444e1c1cbdfc4ce8654883
Opcode Fuzzy Hash: 4eef5c45cf981fedad435667352776c253f65e39754a5f3243b223faa79de56e
Instruction Fuzzy Hash: 45E065347452808FCB069B39D4A8899BBE9EF8B21531509EBE006CB222CA30CC558B21

Uniqueness

Uniqueness Score: -1.00%

Function 00A52DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12648e6fa21559d34cb90cb6121726ddc6703b200976b61b096e95d4deacd65d
Instruction ID: 5a88031fce777a14ea62bff92a622498de18acb3f625c9a577facfbbd87f9db1
Opcode Fuzzy Hash: 12648e6fa21559d34cb90cb6121726ddc6703b200976b61b096e95d4deacd65d
Instruction Fuzzy Hash: F0E0ED71E101188F8B84EFBCD5056DEBBF5EF49311B2180BAD519E7311EB709E118B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A5CFF0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f53a137a6f5e203ee2a7fd48892dcdf72b7121e3560af7c7e03d322f98a0a88
Instruction ID: 1e8db6f08bfd1443902035e0359684636a35a0f2ea1a5a525d40b0b586319653
Opcode Fuzzy Hash: 8f53a137a6f5e203ee2a7fd48892dcdf72b7121e3560af7c7e03d322f98a0a88
Instruction Fuzzy Hash: FBE08C3840930096EB210291A1283703AADAB8131AF188069980A067D48AFE88CEEB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A566C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da2ef0d5a17ef9e491a8050ac9e9a75a3b6a987440f022f0e04785769c008a7
Instruction ID: ebbc6c17dbf9944f3d019be3caebd0afab6a739ab392f64763b4dd94c3e33649
Opcode Fuzzy Hash: 9da2ef0d5a17ef9e491a8050ac9e9a75a3b6a987440f022f0e04785769c008a7
Instruction Fuzzy Hash: 82D05E3170D2A19F87062A6CA8101A9BBEADECA22234901B7F105DB347CE644C869792

Uniqueness

Uniqueness Score: -1.00%

Function 00A56469 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bec42b2e15a63db8e04ca3315dbc5447c275d55b43bef04b73bcb60edabd108
Instruction ID: eab6cf1399fa3bbc0faafa3b54738e4b614779dda50e1862c075ab7e6f6f4adc
Opcode Fuzzy Hash: 7bec42b2e15a63db8e04ca3315dbc5447c275d55b43bef04b73bcb60edabd108
Instruction Fuzzy Hash: 0AE017796482408FC705CF38D495965BBB6EF8A31071014F5E549CB37ADA25CCC2CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00A55631 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa2a96a0d990025ab40db7f443c1d98885ab2098de8b2ecd308dc99d151d23a
Instruction ID: 40e4b958d41804fec5413f06a60b46903b3fc352ada6a5d7683acba12576da7b
Opcode Fuzzy Hash: 2aa2a96a0d990025ab40db7f443c1d98885ab2098de8b2ecd308dc99d151d23a
Instruction Fuzzy Hash: 20D05E105486C96FC303077C6C651A17F799D4B11535C04D6D8844B023E413986F9754

Uniqueness

Uniqueness Score: -1.00%

Function 00A56478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51634fc31f3338680d1ca5c86d987638637aabb5cc20f68b069850225b978ae5
Instruction ID: 7f26ed97b7425aaaa6b28c42b278a55b847daabd77d4b1d4ae34289ed51961a9
Opcode Fuzzy Hash: 51634fc31f3338680d1ca5c86d987638637aabb5cc20f68b069850225b978ae5
Instruction Fuzzy Hash: D1C012747843044F8304DB6CE05081573EAEB8C71031010B4E619C733DCD20EC818658

Uniqueness

Uniqueness Score: -1.00%

Function 00A5CAA0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2830632238.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a50000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5411023e83eeaf825fc184e421c46d70842225669e641f4a3a54b5bd9f139ee9
Instruction ID: f7727e0b36b4a577c3f6a6239250c64de80b1a7656d820da5228057ad33a185d
Opcode Fuzzy Hash: 5411023e83eeaf825fc184e421c46d70842225669e641f4a3a54b5bd9f139ee9
Instruction Fuzzy Hash: 4EC04CA2AD97C43EDA430E6119643983B249752122F1506A2D784C9192545925078325

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 6536, Parent PID: 7924COMMON

Executed Functions

Function 012A4F58 Relevance: 11.9, Strings: 9, Instructions: 601COMMON

Download Yara Rule

Strings

(oq, xrefs: 012A586F
(oq, xrefs: 012A5655
(oq, xrefs: 012A55A3
(oq, xrefs: 012A5056
(oq, xrefs: 012A5082
(oq, xrefs: 012A51CD
(oq, xrefs: 012A589B
(oq, xrefs: 012A55CF
(oq, xrefs: 012A51F9

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$(oq$(oq$(oq
API String ID: 0-1155985100
Opcode ID: 60c3c7b1f9547c795c3eaf779299ff29b0dcd242fd26be8d8e8b0d0742fb0dab
Instruction ID: 13b8cc0b626e7ce16da808f789cd5e8747bab75cf867b30b7e9ce3965310ecd4
Opcode Fuzzy Hash: 60c3c7b1f9547c795c3eaf779299ff29b0dcd242fd26be8d8e8b0d0742fb0dab
Instruction Fuzzy Hash: 0032B134B202198FDB08EF69D9546AEBBF2EF89300F548069E505EB395DF749D41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012A3860 Relevance: 4.4, Strings: 3, Instructions: 679COMMON

Download Yara Rule

Strings

(oq, xrefs: 012A3BA1
(oq, xrefs: 012A3DE5
(oq, xrefs: 012A419C

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3965398577
Opcode ID: 4b63abb1773bac2bc10c76cafba01709cfa573b2ca68ef3f8fc65dc1b8a26de3
Instruction ID: 8975f32bee570076deeb521a9b41b99c894bb8a676ce762fe0ae24d4ea93a88d
Opcode Fuzzy Hash: 4b63abb1773bac2bc10c76cafba01709cfa573b2ca68ef3f8fc65dc1b8a26de3
Instruction Fuzzy Hash: 12427034B102159FDB05EBA8D954AAEBBBBFF88300F148469E505EB3A9DE35DC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012A1049 Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089313286eb89a5a4e5348300df6271b2f7c52f6ff3ffe717da085024ad209da
Instruction ID: fd40f1153e33d2d16827dd5b8985a9187ac123fcbb193c19d8fb476f7e35a473
Opcode Fuzzy Hash: 089313286eb89a5a4e5348300df6271b2f7c52f6ff3ffe717da085024ad209da
Instruction Fuzzy Hash: 7582BD78640209DFDB06FBA4D654B6E7B7BEB88300F104814E801777ACCB36AD95DB26

Uniqueness

Uniqueness Score: -1.00%

Function 012A35F0 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

(oq, xrefs: 012A3786
(oq, xrefs: 012A36B6
(oq, xrefs: 012A37B2

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3965398577
Opcode ID: 9f07443809d1d2a123022f75a218c9b9a702093b888dc0c2678c178e2743d976
Instruction ID: 48409305957030e17382aaa46d3b87a2642993e4497b1ba146d29dc6c7e815bb
Opcode Fuzzy Hash: 9f07443809d1d2a123022f75a218c9b9a702093b888dc0c2678c178e2743d976
Instruction Fuzzy Hash: 5E4115317241140BD719BB39AC6063F7BEBEFC52507688968E906CB398DE38DD078399

Uniqueness

Uniqueness Score: -1.00%

Function 012AC060 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

K., xrefs: 012AC094
K/, xrefs: 012AC0C6

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID: K.$K/
API String ID: 0-4103799487
Opcode ID: 26200ccc9dca6bbdb41a4360c46408580a28c6453f0c3e7abc616fd5eb932273
Instruction ID: fc24b58abc531c2c138aadf7f2c9ff393914be5184cbd01836a62d7214cdf4fc
Opcode Fuzzy Hash: 26200ccc9dca6bbdb41a4360c46408580a28c6453f0c3e7abc616fd5eb932273
Instruction Fuzzy Hash: 117116716416049FC355DB24CA5059BFBF2FF80304354CA2E814A8BB69EF76FA4A8BC4

Uniqueness

Uniqueness Score: -1.00%

Function 012AC070 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

K., xrefs: 012AC094
K/, xrefs: 012AC0C6

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID: K.$K/
API String ID: 0-4103799487
Opcode ID: dbc60c1564b4cd640ce90956ceaf7f5e7c3757ac0224cf79ab4e572d36156d80
Instruction ID: 43b262ed9e89e94dea7095270a7532a39d6791be301243d8e5bec45dd3edf55a
Opcode Fuzzy Hash: dbc60c1564b4cd640ce90956ceaf7f5e7c3757ac0224cf79ab4e572d36156d80
Instruction Fuzzy Hash: B67106716416049FC355DB24DA5059BFBB2FF80304354CE2E814A8BB69EF76FA4A8BC4

Uniqueness

Uniqueness Score: -1.00%

Function 012ABEAF Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

Tekq, xrefs: 012ABF75

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 06f8ca634e7a9d067e7756f4f6607e2c2977614bf8cdeda3df643f1b3fa21339
Instruction ID: 0be1bc30ddf9cca17265add78af52ce92428a2bfcdd26a661b523ef11ac8b104
Opcode Fuzzy Hash: 06f8ca634e7a9d067e7756f4f6607e2c2977614bf8cdeda3df643f1b3fa21339
Instruction Fuzzy Hash: 6A418F747006118FC754DF2DD898A6EBBF6FF88710B2580A9E506DB3B6CA75EC058B90

Uniqueness

Uniqueness Score: -1.00%

Function 012ABEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Tekq, xrefs: 012ABF75

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: f4d47529decafcc35d92b5b70373b640e48635daa9365de748e001c4ff8a5623
Instruction ID: 0c57927d1bd9a94c0271722b5fe23113ccad8a8e83dae1123487f6bf5a45b75d
Opcode Fuzzy Hash: f4d47529decafcc35d92b5b70373b640e48635daa9365de748e001c4ff8a5623
Instruction Fuzzy Hash: BE417E747006118FC754EF6DC898A6EBBE6FF88710B6580A9E506DB3B5CE75EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 012A2B10 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

LRkq, xrefs: 012A2B35

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 278547a562225a742df52e4b50f7afbd321699097ed2906ba3468c20a7c6036c
Instruction ID: 24ba08f591d8dc9152475d301d488bcaca2af5b86f131c166ab92dccae891079
Opcode Fuzzy Hash: 278547a562225a742df52e4b50f7afbd321699097ed2906ba3468c20a7c6036c
Instruction Fuzzy Hash: 0331F8307012158FD74AAB39D554A6E37B6EBC9A10B20856CD10ACB3B8DE3ADC438B84

Uniqueness

Uniqueness Score: -1.00%

Function 012A2B20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

LRkq, xrefs: 012A2B35

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: d74cc93a06a7cfcc07c010902397c0d22bf7e6d5eece644924187bf135c6d175
Instruction ID: 7506cd9bed01892991afad127716b27a3bf59584f0d636301273e68a4f62c24b
Opcode Fuzzy Hash: d74cc93a06a7cfcc07c010902397c0d22bf7e6d5eece644924187bf135c6d175
Instruction Fuzzy Hash: EA31D8347012158FD71AEB39D554A6E33A6EBC9A14B20956CD10ACF3B8DE3ADC438B84

Uniqueness

Uniqueness Score: -1.00%

Function 012A4248 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

(oq, xrefs: 012A4295

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: e24c6d1638ce9cedcd9eceab8e220d51ef32065eaa489e55b6fd9c1370a768fc
Instruction ID: 7b33c2da3d326a6af060c206f88e5aa24e168f01682e73ba7218959bf54a0150
Opcode Fuzzy Hash: e24c6d1638ce9cedcd9eceab8e220d51ef32065eaa489e55b6fd9c1370a768fc
Instruction Fuzzy Hash: 79019C327181900FD30AA77D682512E7FA3EFD261038844AED441CB399CEACDD4683D4

Uniqueness

Uniqueness Score: -1.00%

Function 012A37F0 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

(oq, xrefs: 012A3820

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: 0baa7b4ed01d61c9882e43bfb9cfbf0afc505cf777452f12dbef2c972b224868
Instruction ID: 2f198f35a6ff9ecb5b15c66625188ccb43c724640f5c2764eb090bc61d4de177
Opcode Fuzzy Hash: 0baa7b4ed01d61c9882e43bfb9cfbf0afc505cf777452f12dbef2c972b224868
Instruction Fuzzy Hash: 85F059327141540FD709AB7D681053EBBAFAFC5320B18426AFA15C73D1DE689C0643A1

Uniqueness

Uniqueness Score: -1.00%

Function 012A1058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119bf04b28784f3c81866c02d06cc75fa4ac79e59aba76403453b6a696325135
Instruction ID: 123962f586c5a251d326ce6a6b8b0d14e13e6990e8054eec5279cba4432c496a
Opcode Fuzzy Hash: 119bf04b28784f3c81866c02d06cc75fa4ac79e59aba76403453b6a696325135
Instruction Fuzzy Hash: 4A82BD78640209DFDB06FBA4D654B6E7B7BEB88300F104814E801777ACCB76AD95DB26

Uniqueness

Uniqueness Score: -1.00%

Function 012AB0B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375ab63375f14f676dfd3eb88e3cc4b573b7bcd3f57f51671c5f72b1a403036f
Instruction ID: e1e779f984ad712b59801fa64addac3669ec087d982fe37dcd20aad8468a75fb
Opcode Fuzzy Hash: 375ab63375f14f676dfd3eb88e3cc4b573b7bcd3f57f51671c5f72b1a403036f
Instruction Fuzzy Hash: 37525734A11201CFD719EF28E958A697BB2FF84301B648568E516DF3AADB75EC81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 012AAFA1 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bde501a3c2fe521df55319c7884e230d7fa5e43c31c35110b6d68b847261a91
Instruction ID: 4ad974ee648f9dec153fb9c3e146e8a062d5791acc2c1ce49802ffc35f0d9206
Opcode Fuzzy Hash: 3bde501a3c2fe521df55319c7884e230d7fa5e43c31c35110b6d68b847261a91
Instruction Fuzzy Hash: A861D2725193D44FDB03AB38DDA12D97FB1EF83210B0945EBC084CF1A7D6649948C796

Uniqueness

Uniqueness Score: -1.00%

Function 012ABB99 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf0365d9f0da6e945e019dc693f829c593d925268653a5598f6a6017bd5cf6b
Instruction ID: 67c5bd60544d90a118a0de4331eb83f51ecc4f1c7869b2a3f730f633fdabe165
Opcode Fuzzy Hash: 6bf0365d9f0da6e945e019dc693f829c593d925268653a5598f6a6017bd5cf6b
Instruction Fuzzy Hash: 0781E878912245CFC712FB18E689A69BBB2FB84304B95C569D6258F329C770FC89DF40

Uniqueness

Uniqueness Score: -1.00%

Function 012A385A Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0be97d15c280f3fa320b4109872c69dfe7d83f11e8b6a85b614f1351e708f06
Instruction ID: e2d566fdd9a0b476a09bbd5c0dba8f1acd11712bb6c10e77891a49b5e6cfb34b
Opcode Fuzzy Hash: a0be97d15c280f3fa320b4109872c69dfe7d83f11e8b6a85b614f1351e708f06
Instruction Fuzzy Hash: F3612C34A11219EFDB05DFA8E994AADBBB7FF88310F148419E905A7364DB35EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012A5AA0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15cb1b532f25936215f70ff57f429e67bae5e5280f25461598189c944708166a
Instruction ID: 3d44294aeb4426be3714f45bfe5886c03a5ab08fcc04f5aaba1ade7f83aafe58
Opcode Fuzzy Hash: 15cb1b532f25936215f70ff57f429e67bae5e5280f25461598189c944708166a
Instruction Fuzzy Hash: EA515A75B102068FCB04DF68D994A6EBBF6FF88310B5145A8E50ADB365DB70ED05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012AC798 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de70d8a45d3b422d64b72a897ca764c7d2f908cfca1802f97893eb26e51daf6
Instruction ID: dec6c7de9fb241e79c5cb6a709d15bbe9ddbb246e6aa3575689992f259e44e9d
Opcode Fuzzy Hash: 6de70d8a45d3b422d64b72a897ca764c7d2f908cfca1802f97893eb26e51daf6
Instruction Fuzzy Hash: 445126715006009FC359EB24DA4158AFBE2EF85304354CE6EC18A9BB65EF75FA0A8FC4

Uniqueness

Uniqueness Score: -1.00%

Function 012A2850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ecee165e7f42a4be443e06d9833463a9a51882adbe1d8dd85d04681b367858
Instruction ID: 1df5775c111fedb9ca8c792475217121a4162a8ef9c30e2067d6f6ea93d7271d
Opcode Fuzzy Hash: 41ecee165e7f42a4be443e06d9833463a9a51882adbe1d8dd85d04681b367858
Instruction Fuzzy Hash: 0B411B74E20209CFDB14EFA5E994ADDBBB2FF88310F604529E505AB368DB359881CF10

Uniqueness

Uniqueness Score: -1.00%

Function 012A5A91 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df742c10083269f403aae1de99e4a254c483665753d19ba9829ac45e95da2e7
Instruction ID: 4f156f46e7ceb6e97e06d1aaf2a2cc7d21ffae129c99d8aa0bb7aca64f7b9c31
Opcode Fuzzy Hash: 5df742c10083269f403aae1de99e4a254c483665753d19ba9829ac45e95da2e7
Instruction Fuzzy Hash: 91414975B102068FCB04DF68D998A6ABBF6EF88310B5145A9E509DB376DB30ED05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012AC353 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c85c9eea0a909a991c07fa862bb12bae0ad7916e17ebd44d6b5a545919252d
Instruction ID: 14d2e846e4542a1715652f337d72e5500ced955aa9493129afb17b04b8b0fbf0
Opcode Fuzzy Hash: 99c85c9eea0a909a991c07fa862bb12bae0ad7916e17ebd44d6b5a545919252d
Instruction Fuzzy Hash: B231E4311142858FD705DF78D99119ABFA2FF81304754897EC646CF666DB32E947CB80

Uniqueness

Uniqueness Score: -1.00%

Function 012A2842 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d9bae4374312c45dd7b14c7cfd9e6baea37bb4f1b875bbb5582c8c747b0152
Instruction ID: c2d7a390dac6dd9cb1386983999d14cf543243b895509f81f8956ab54883f6cc
Opcode Fuzzy Hash: 38d9bae4374312c45dd7b14c7cfd9e6baea37bb4f1b875bbb5582c8c747b0152
Instruction Fuzzy Hash: 98314A34D20209DFDB08EBA4E5946EDBBB2FF88310F604529E505A7368EF759885CB10

Uniqueness

Uniqueness Score: -1.00%

Function 012A5308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f3f55e5e9580505c054fdcc3ea268d0917223421c8b16ee6574863209403a7
Instruction ID: 76bdf21f791b8a7971bc080e81cd0d671cb6865edbc7f6c45f21c72fcb51b819
Opcode Fuzzy Hash: e7f3f55e5e9580505c054fdcc3ea268d0917223421c8b16ee6574863209403a7
Instruction Fuzzy Hash: A941FD34A10215DFDB44EFA5E594AADBBB2FF88311F508065E906EB364DB349D41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012A2C48 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654408b2731cdf9288a6bb2645010ff8dd271636cbf8271e190f18a01002e16b
Instruction ID: c451c1545b31081c10f1ddfa710840af8a5b447707977eaccdf8c64c2edd1b4f
Opcode Fuzzy Hash: 654408b2731cdf9288a6bb2645010ff8dd271636cbf8271e190f18a01002e16b
Instruction Fuzzy Hash: 5941F77490020ACFDB04EFA8E9956EEBBB6FF48310F104129D505AB369DB35AD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012A2C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ed88b64e56e2be8a48f646830315734baa874bd4167eb11630e496613820a4
Instruction ID: d1c2847630b4eb49630bb2b34f31a94518763c7eb5cd4a386208cf766a7fd79a
Opcode Fuzzy Hash: b6ed88b64e56e2be8a48f646830315734baa874bd4167eb11630e496613820a4
Instruction Fuzzy Hash: 8331C57490020ACFDB14EFA8E585AAEBBB6FF48310F104129D515EB369DB35AD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012A288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18003cb7f92a31862960f0f15913b03fb56260e85391ad665d1091c68c9c3c1f
Instruction ID: b003f53f6399c89f6d4467f4852bb3f840103d97c053870b95b7988a08b0ab35
Opcode Fuzzy Hash: 18003cb7f92a31862960f0f15913b03fb56260e85391ad665d1091c68c9c3c1f
Instruction Fuzzy Hash: B6310B74E20209CFDB14EFA4E9946EDBBB2FF88350F644129D505A7368DB759885CF10

Uniqueness

Uniqueness Score: -1.00%

Function 012A4B70 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797b99abce8463b50686290742d460137d9cbb1c5bb0444bcf8ad59456c4fa15
Instruction ID: 3d7dd65c8f6fffb9bd7c9af817697759c898da666880f6ced26297852b206828
Opcode Fuzzy Hash: 797b99abce8463b50686290742d460137d9cbb1c5bb0444bcf8ad59456c4fa15
Instruction Fuzzy Hash: 6921D6312142015FCB15EB78ED9066EBBA6EF84310F444E28D0168B369DF74FD898BA8

Uniqueness

Uniqueness Score: -1.00%

Function 012ACEC0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1151f0c26c1dedc30e93ebf67adac49ecac216aa905a0bb440c6c361a3f1781e
Instruction ID: cf9bf17d61299a51d729967232fbce11f1774b23b6ef487bd781efcdd6709bf8
Opcode Fuzzy Hash: 1151f0c26c1dedc30e93ebf67adac49ecac216aa905a0bb440c6c361a3f1781e
Instruction Fuzzy Hash: BC216675C20248DFDB16CFA8C249B9DBFB9BB48314F20846AE905AB341CB755954CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F3D0EC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2429434765.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f3d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3812bff3dd5721668a977245b011fb0a0e14963d603c2173cb20d4a160a55161
Instruction ID: b51b6dd891a7a217d1ad685d83e3d3c6fed264e43c414cfe6cfaafb09e154c9e
Opcode Fuzzy Hash: 3812bff3dd5721668a977245b011fb0a0e14963d603c2173cb20d4a160a55161
Instruction Fuzzy Hash: 4E21D5B1A04244DFEB04FF24E9C4B26BBA5EB94724F20C66DD9094B351C33AD846D661

Uniqueness

Uniqueness Score: -1.00%

Function 00F3E1DC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2429434765.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f3d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f56497bc326b563b7ef2443114c76c28cab4ad60d113475625764e84d883e42
Instruction ID: 48399abd1f0c4cbad9f135638a193fb63d6ecb9e457e28a18b844c3cb8c86506
Opcode Fuzzy Hash: 8f56497bc326b563b7ef2443114c76c28cab4ad60d113475625764e84d883e42
Instruction Fuzzy Hash: 4821D5B1A04244DFDB14EF24D5C4B2BBBA9EF94724F30C66DD9094B2D1C33AD846D662

Uniqueness

Uniqueness Score: -1.00%

Function 012A4B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2469e90da1d43b6081a9efcdab5b55cd3af12e6c0d941b66b95da2f2feeee79
Instruction ID: 39f2e8ffbf9262c9df00bac0596aebe34a3d3480e6796432a205f1b086dad674
Opcode Fuzzy Hash: c2469e90da1d43b6081a9efcdab5b55cd3af12e6c0d941b66b95da2f2feeee79
Instruction Fuzzy Hash: 652196302102015FC714EB79ED81A6EB7A6EFC4314B448A38D4158B369DF74BD8947A4

Uniqueness

Uniqueness Score: -1.00%

Function 012ACED0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cd7161dadc87ec86849c6857dcecf67ebd3966a17ce7ee1ac67fd671ce30fd
Instruction ID: fa01b69e8410f70ec810ca132308a8b111a57915bc92fc6a0c256890a22746b6
Opcode Fuzzy Hash: a2cd7161dadc87ec86849c6857dcecf67ebd3966a17ce7ee1ac67fd671ce30fd
Instruction Fuzzy Hash: 54215770D10248DFDB15CFA8D559B9EBFFABB48314F20806AE905AB340CB759945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 012A5C42 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d23c1f1b93441f06f9a2134a9249fdac49132374c1baff88f156113e0dd250d
Instruction ID: f884d9d8cf3bbcc5a0f973cbc967e803ceb3ce1b467dc86efff6a4d0d35f1462
Opcode Fuzzy Hash: 5d23c1f1b93441f06f9a2134a9249fdac49132374c1baff88f156113e0dd250d
Instruction Fuzzy Hash: A2219075A143488FDB02CBB9C548ADD7FF1AF09310F1901A6D541FB2A2D7745D85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012A2908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa97aa3577298d96f3b96de1e1246c62a275d856aad156188f47b1604276ba00
Instruction ID: ed2d77c44b72034cd4a02bda0cb1aac8a2becbe5220d962d63691aa6e5ccb545
Opcode Fuzzy Hash: fa97aa3577298d96f3b96de1e1246c62a275d856aad156188f47b1604276ba00
Instruction Fuzzy Hash: 5521B834D20209DFDF14DFA9E990AADBBB2FF88340F508129D915A7368DB759845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012A5C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671135c4d0816dc7355d9dc1222193bc2876da4bbbae983f134724afb2eb67d3
Instruction ID: ecddd4df6c9c7177313d9aa103de184f5c2b71c230f20b8d94cbed68a847ccac
Opcode Fuzzy Hash: 671135c4d0816dc7355d9dc1222193bc2876da4bbbae983f134724afb2eb67d3
Instruction Fuzzy Hash: FA213B75A102198FDB10CBA9C588ADEBBF1AF4C310F6401A5E505BB361DB759D44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012A6888 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182d746fb501586a0ca5d6351ac938bea7aa8d5231af70c7c79de005c44ffdb9
Instruction ID: dd5443ee12a40c2aa59bebdb5b0c7126997892cbeaa5089e4aaf7e38448c8278
Opcode Fuzzy Hash: 182d746fb501586a0ca5d6351ac938bea7aa8d5231af70c7c79de005c44ffdb9
Instruction Fuzzy Hash: 2821B171D1020ACFDB10DBA4CA097EEBBF6EF45304F988469D501A7261CB769A05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012A296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f55c119233dc33cb2f5612bd4de279d8be219b0f3ced8925c02fa73785b9070
Instruction ID: 84724056efd4cbf368481afe74822e3dcf01350a2317300bf093abe9e704a143
Opcode Fuzzy Hash: 7f55c119233dc33cb2f5612bd4de279d8be219b0f3ced8925c02fa73785b9070
Instruction Fuzzy Hash: A2219634911209DFDF14DFA8E584A9CBBB2FF48300F604129E519AB369DB759D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F3D0E7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2429434765.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f3d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction ID: 220d4d01037d5bfcf147082297a4b5498a9e71f38ccaf4d50510eda614fceb6e
Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction Fuzzy Hash: 6E11A0B5904284CFEB15EF24E5C4B15BFB1FB94324F24C6AED8494B652C33AD84ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F3E1D7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2429434765.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_f3d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction ID: 2e67d9e01a76b2bc607ca7c18456fd38ce314440d086987a4eaad1ba93064c6b
Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction Fuzzy Hash: 5811E0B5904280CFDB15DF24D5C4B26BFA1FF54324F24C6ADD8494B692C33AD85ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 012A5911 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87144c7f6c1c0979d10e5bdc68a2cf5dbfeacd5cb9ada0a3e60d0239d2487a92
Instruction ID: b9e0934611fa1f5f66a711642626c0baa4250716a0b8475c91eb66ff6109567f
Opcode Fuzzy Hash: 87144c7f6c1c0979d10e5bdc68a2cf5dbfeacd5cb9ada0a3e60d0239d2487a92
Instruction Fuzzy Hash: 3B01F2B73253408FC3029F79E8595597BF5EF8621131984AFE544CB3A2DA388C05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012AC000 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86378ab03e7c765ebc29c66fee1577ec92ef7e1b54f2c797c6016447d2e2416
Instruction ID: a7d0e2ec6dcdf98bf6238c47e9849700f08c6bd7cae69ca1443e8d4c4e6f9a81
Opcode Fuzzy Hash: e86378ab03e7c765ebc29c66fee1577ec92ef7e1b54f2c797c6016447d2e2416
Instruction Fuzzy Hash: 5B0165303105158FCB44EB28E885A9DBBB5FF85714B0145A9E605CF37ACB71ED498B80

Uniqueness

Uniqueness Score: -1.00%

Function 012A32E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f20fd6fb02091c6d9ed688477350bd8933c68103b72dd4000ca26cc1e0e980
Instruction ID: 2698c8777b4dda3d7104976eb606fb75a1d351ab691c36fe96aec4f78040d4e9
Opcode Fuzzy Hash: 33f20fd6fb02091c6d9ed688477350bd8933c68103b72dd4000ca26cc1e0e980
Instruction Fuzzy Hash: 29113935A20144CFCB44EBB4F46E7AE7FB6AF88311F444429E406A7781DF395805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 012A5940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150fec49c0a825d36a90e35b356fcb77b03a51f11dab2385d2b7675199799070
Instruction ID: a21d7089ccf4a25cad14426ceca774abbede020f20d85d61c906b7a839a5dacc
Opcode Fuzzy Hash: 150fec49c0a825d36a90e35b356fcb77b03a51f11dab2385d2b7675199799070
Instruction Fuzzy Hash: 5A01A4763102208F8704EB6DF89895EB7A6EFC9665350457EFA05C7350CE35DC0197A0

Uniqueness

Uniqueness Score: -1.00%

Function 012A2A80 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2edd99fd6aa20ff543dc10aeef58a19403ea450e09850884db5b9bf439d2e43
Instruction ID: 17fceb4b4e91ceb6a01267b49b951a6840406fda13e4d87ae52ade37743e49bf
Opcode Fuzzy Hash: e2edd99fd6aa20ff543dc10aeef58a19403ea450e09850884db5b9bf439d2e43
Instruction Fuzzy Hash: E00178B12102108FC710EF38D50899BBBF5FF85214B1489A9E19ACB769EF38EC048BD4

Uniqueness

Uniqueness Score: -1.00%

Function 012A32F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ca6b6e2b2ce3c0e71c9e6d0ecd0d0175a6ff0ae877134fb6bcbc13bc6ea269
Instruction ID: f998533b8616d7c726ec967132306c994474a518c8d9d50a3759e1c09bb14347
Opcode Fuzzy Hash: 36ca6b6e2b2ce3c0e71c9e6d0ecd0d0175a6ff0ae877134fb6bcbc13bc6ea269
Instruction Fuzzy Hash: DB012934A20204CFCB44EBB4F46D7AE7FB6AF88311F444429E506A7380DF395804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012A41D0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7646f96f45cd51a9205c01b5ce3550714ff81f50a76161c760311a0da954475f
Instruction ID: 0ff9424bba5e33c0fbfaa518f18aa2af9d50193a27be3966dbc208acde724cbb
Opcode Fuzzy Hash: 7646f96f45cd51a9205c01b5ce3550714ff81f50a76161c760311a0da954475f
Instruction Fuzzy Hash: 49F0E9712141102FDB08A3B57CA56BF7FAAEFC9220F54081CF40993344CE296C014378

Uniqueness

Uniqueness Score: -1.00%

Function 012A2A90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6367fdb568e6ec18f8a143b31877e26d71854a602e9a9431f4d6070ba330cf7c
Instruction ID: cf5fc6c94e5506018bf6a6b51a550659dbb3ac92e8348cf7b57ee0c68b9ac755
Opcode Fuzzy Hash: 6367fdb568e6ec18f8a143b31877e26d71854a602e9a9431f4d6070ba330cf7c
Instruction Fuzzy Hash: CBF046B16106108FC310EF28D50488BBBF6EF84214710896AE15ADB769EF79EC048BD4

Uniqueness

Uniqueness Score: -1.00%

Function 012A6388 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9c9a1fa2e56cb451295a0c45ef06695ee80fde843bba670229602e96696abe
Instruction ID: 74b431631af8244e8f845196ede072530238d17b78e0e3d697d663161b1d1dd4
Opcode Fuzzy Hash: 9e9c9a1fa2e56cb451295a0c45ef06695ee80fde843bba670229602e96696abe
Instruction Fuzzy Hash: 13F09074900208BFCF44EBA4E98669DBBF1EF54200F604168A405E7340DA709F41A754

Uniqueness

Uniqueness Score: -1.00%

Function 012A4237 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f5f7716ab303ec10ce7479ae174fe8f5c4f5bf1dea1a6254169b3443282ad6
Instruction ID: d1a80b4825f90160beb330f34b28322803f3761558825b5e4eef5b65a78b1200
Opcode Fuzzy Hash: 51f5f7716ab303ec10ce7479ae174fe8f5c4f5bf1dea1a6254169b3443282ad6
Instruction Fuzzy Hash: 56F05C322101401FD715A779B9246BE7F57EFC0620F48053DE84147358CE75BC8647D4

Uniqueness

Uniqueness Score: -1.00%

Function 012A6398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229b019ef91acf14a03ecb3eb95f664e7043d257fd11d674b19e127f51992f9c
Instruction ID: a762d6ff60744f6985d174315a5b3d5a5e90a02ec977143f9121094197a65425
Opcode Fuzzy Hash: 229b019ef91acf14a03ecb3eb95f664e7043d257fd11d674b19e127f51992f9c
Instruction Fuzzy Hash: A0F08C74A00208EF8B04EFA8E9859ADBBB1EF84200F6045A8A808E7344DA706F44AB54

Uniqueness

Uniqueness Score: -1.00%

Function 012A2D92 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672410f624238f15875f40dce41887285673b001652957e44389d0e7ece82d4c
Instruction ID: 4631edb64e3ec3e7bf6ebc08d48b836f42e14857e022dde325bc24ff828a5986
Opcode Fuzzy Hash: 672410f624238f15875f40dce41887285673b001652957e44389d0e7ece82d4c
Instruction Fuzzy Hash: FBF08C71E200188FCB48EFBCD8466D9BBF4EF49310B5044AAE619E3701EB70AD10CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012A2DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26cc848764c32b6093801bc0d9e226fac993371a934619659a44d30e68fe6868
Instruction ID: c8395da2aeee545d6ecb08c01b32e03c231ae6f818d6974ca97262bd8914689b
Opcode Fuzzy Hash: 26cc848764c32b6093801bc0d9e226fac993371a934619659a44d30e68fe6868
Instruction Fuzzy Hash: 0AE0ED71E20118CF8B84EFBCD5456DEBBF5EF49310B5140AAD519E7311EB709E018B91

Uniqueness

Uniqueness Score: -1.00%

Function 012A1FF8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19e4f240f772064a9fbbd1c8ac434850f1e66efbb0dc3479fd4cde9eb424d0e
Instruction ID: 746dec5c0d1816b3a1107265dd6e77dddef9b645baf0430fbb04bf3efeb4c402
Opcode Fuzzy Hash: b19e4f240f772064a9fbbd1c8ac434850f1e66efbb0dc3479fd4cde9eb424d0e
Instruction Fuzzy Hash: 1BE04F367102404FCB15577DE42CA9A7FE9EFCA521B0808A9F546C7361CD70DC028790

Uniqueness

Uniqueness Score: -1.00%

Function 012A2008 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed777051cb71eed231b909f52a876ea79e863dae6a6868eecf560eb6acd2080
Instruction ID: fd2b5767145e91eb5f18d2c705ba95911a5070252df50bfa3486490cfc817002
Opcode Fuzzy Hash: aed777051cb71eed231b909f52a876ea79e863dae6a6868eecf560eb6acd2080
Instruction Fuzzy Hash: 25D05B357102144FCB14577DE41C85A7BDDDFC9521305047AF506C7360DD71DC0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 012A37EF Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c085d1df719827103abe9c2d3863de9da77bcc0e2590f9277864dc554b4a689
Instruction ID: c6afceb94f7ef1ec335988a0e4e32533bd724aaebb2fd31c4c951a50fd6c9798
Opcode Fuzzy Hash: 2c085d1df719827103abe9c2d3863de9da77bcc0e2590f9277864dc554b4a689
Instruction Fuzzy Hash: 11D05E77B102105BDB1596A9B905ABAA39FABC8322B084526FA09C7294EFB58C015790

Uniqueness

Uniqueness Score: -1.00%

Function 012ADD40 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a07e8a3287593a5b074f6cf1e3c99bec225193ba0771a6a289fa4b689288384
Instruction ID: d916a0e6e0b891e9cdae780ec022d00d5f214ed73b07e6f1be08c9eac9a9d5c4
Opcode Fuzzy Hash: 6a07e8a3287593a5b074f6cf1e3c99bec225193ba0771a6a289fa4b689288384
Instruction Fuzzy Hash: 72D01736350A248F8761EBA8E54489AB7E8EB4966134041A6EA0AC7B21CA61FC008AD0

Uniqueness

Uniqueness Score: -1.00%

Function 012A66C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e341aaab2404f39e405235f19f2e9b50c4c1f7908a3d869f92f65bfd1e562ae
Instruction ID: 29491a7008bb53ffa2a4f3850dd3beb3410881baf02c8a48f508d219a133867c
Opcode Fuzzy Hash: 6e341aaab2404f39e405235f19f2e9b50c4c1f7908a3d869f92f65bfd1e562ae
Instruction Fuzzy Hash: 67D0A7737292A01B870A626C78190986BB9DFC615134F06ABF105DB387DD540D0653D5

Uniqueness

Uniqueness Score: -1.00%

Function 012A6469 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6bb5820dfea64ac59b2f74d956e1f9965df1001e1539b768b7392947da3ccc
Instruction ID: 1b3a12f2fa500e3fdc64ee76fd299036ca54a610c81e7cd2b7041cb22cfd4578
Opcode Fuzzy Hash: 0b6bb5820dfea64ac59b2f74d956e1f9965df1001e1539b768b7392947da3ccc
Instruction Fuzzy Hash: DBD097B10242000FC708CB20CA8B22237B5FF0130034604F0D019CB23EE528C802CB10

Uniqueness

Uniqueness Score: -1.00%

Function 012ACFFE Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7314f9ad5e9f6d01f959d5cfa155844e8fc1d2c27c158e93ae187c5b41fd7c
Instruction ID: 3c46283ee2d1119e059ff5c00a7dabcbcbf2c1b3860c1eebde5aa2e74da06948
Opcode Fuzzy Hash: 8d7314f9ad5e9f6d01f959d5cfa155844e8fc1d2c27c158e93ae187c5b41fd7c
Instruction Fuzzy Hash: CED0A73807520587FF200791A10A3753F595F80359F54C029B60A4A9C1DBF6808ADE11

Uniqueness

Uniqueness Score: -1.00%

Function 012A6478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b74e128b9975810cb4de8d6b0269410c9f01876e4babd70faafda5474a2315
Instruction ID: 0e6d8ee5eb64f41369cd8e8abe759d23f4f115152c2daaa0a2f640fbcda1b25c
Opcode Fuzzy Hash: d5b74e128b9975810cb4de8d6b0269410c9f01876e4babd70faafda5474a2315
Instruction Fuzzy Hash: 01C012353842048F8608EB6CE080825B3EAEB8C71035000A8E619CB33ACE20FC828A18

Uniqueness

Uniqueness Score: -1.00%

Function 012A5640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d436468b176432b8b24abe72172cb7732eeec2e8c372b2b1fbc8af1181bb307
Instruction ID: 2298d37611776092489e01fa2ad9c93e4d36e54ca41e7840729c75110149ef3b
Opcode Fuzzy Hash: 4d436468b176432b8b24abe72172cb7732eeec2e8c372b2b1fbc8af1181bb307
Instruction Fuzzy Hash: BDB02B3012030A5B96000519BC0E6123F1DEF505143400194BF0800200AE23C4100080

Uniqueness

Uniqueness Score: -1.00%

Function 012ACA9B Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2480176676.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12a0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e77285ede222051d7ac91bbe30c716d719100d616f5db5af285c538ba28c59
Instruction ID: 61ea69a66e2ba2b9587400985f56cc72428f9ab51d53dd33041ec592ed238f1c
Opcode Fuzzy Hash: 29e77285ede222051d7ac91bbe30c716d719100d616f5db5af285c538ba28c59
Instruction Fuzzy Hash: 7BC04CFBD6D7C53AFB435B60BD993447FB45712306F0D0082A2CCA95D3E6A410158755

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 6352, Parent PID: 7924COMMON

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 02F4E598 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 02F4E602

Memory Dump Source

Source File: 0000000C.00000002.2664834830.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2f40000_Pinball.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 70bfb48f42a5f8a0b8c3467f9a9e2faabe16a2d0c207276f1bac7d55dbc9ecbf
Instruction ID: 4e397967472d42680fa94e41b49ba4bb365a381317d79bb237d82432f2e9b1a4
Opcode Fuzzy Hash: 70bfb48f42a5f8a0b8c3467f9a9e2faabe16a2d0c207276f1bac7d55dbc9ecbf
Instruction Fuzzy Hash: 9B01A2313402046FC304ABADE890AAA7FBAFBD9290760412AE515CB351CE329C059BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F4E5A8 Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 02F4E602

Memory Dump Source

Source File: 0000000C.00000002.2664834830.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2f40000_Pinball.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1676761a4ac32e76a18f06f1419c639f0712b3f9055304bb733b0746b3a9ecf0
Instruction ID: 3c67a1c135fbbe10acc99531dcc105794bcc6ce6777167068e72b07ed46f5c1c
Opcode Fuzzy Hash: 1676761a4ac32e76a18f06f1419c639f0712b3f9055304bb733b0746b3a9ecf0
Instruction Fuzzy Hash: F6F04F313401149F8704AB5DE8949AF7BAEFBD92607504129E519DB360DE319C049BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F4E02F Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 02F4E602

Memory Dump Source

Source File: 0000000C.00000002.2664834830.0000000002F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2f40000_Pinball.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 16667ca7103e04d3696fd9f406c318bd790245ac73a5c7b43613de1a53f3ca9b
Instruction ID: c68b0fe890abd0f00c2215242146a45f3dae65937297d159a55054c732a79209
Opcode Fuzzy Hash: 16667ca7103e04d3696fd9f406c318bd790245ac73a5c7b43613de1a53f3ca9b
Instruction Fuzzy Hash: 73F054313401149FC704DF58D8949AE77A7FFD82507208129E605CB364DE319C059BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0189DA58 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2664546844.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_189d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597bdf6793a914fd02c5f74f3de4e7349bd2618dc4f8b00a71759381910ccd97
Instruction ID: d4533a8184cda90027e07386caea27213d11abb59b476c24d9f5b76511481516
Opcode Fuzzy Hash: 597bdf6793a914fd02c5f74f3de4e7349bd2618dc4f8b00a71759381910ccd97
Instruction Fuzzy Hash: 20212571644244DFCF05DF58D9C0B16BBA5FB84318F28C76DD9098B256C33AD516CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0189D6B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2664546844.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_189d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27d3c8fe70b0a47b3a4836401d820a01723c10d8acc721b8498eb2a2b2453e6
Instruction ID: d39dfa8019bd00ead800e0e2d4f8eb4a9c17f4bba5a4a7ea765b670dbdf3d8df
Opcode Fuzzy Hash: a27d3c8fe70b0a47b3a4836401d820a01723c10d8acc721b8498eb2a2b2453e6
Instruction Fuzzy Hash: 6B214975504244EFCF01DF58C9C0B2ABB65FB84318F28C66DE8098B352C336D546CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0189E1DC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2664546844.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_189d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c621593beac003ce881f197ea7138a1985f6602b3dd03cac1be9533f45d485
Instruction ID: 45184eeee8377c33b5d4077c7ceea8bc66aff116a238b3539992ce761dde7f22
Opcode Fuzzy Hash: 13c621593beac003ce881f197ea7138a1985f6602b3dd03cac1be9533f45d485
Instruction Fuzzy Hash: A52138B0504244DFDF04DF58D5C4B26BFA5EB84718F28C6ADE9098B341C33AD546C662

Uniqueness

Uniqueness Score: -1.00%

Function 0189D0EC Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2664546844.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_189d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7afccc8c97a376c6d9a925778c8de40e0d02d71b445534209d81dd07fdd874f
Instruction ID: 8fe1f5b6406456f198ed3c6a90d55b6c39f3c31b2384dbc19e35aa260a1696e6
Opcode Fuzzy Hash: a7afccc8c97a376c6d9a925778c8de40e0d02d71b445534209d81dd07fdd874f
Instruction Fuzzy Hash: 0D2123F26046449FDF05EF58C9C0B26FBA5EB84318F28C76DD9098B352C33AD546C665

Uniqueness

Uniqueness Score: -1.00%

Function 0189DA53 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2664546844.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_189d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3ac9388d48d1d0907abc59679f8125cf5a58857ce11d2f015c82d4c6e0e3dd
Instruction ID: c74b4cf5084589ad0c9599d6dbe04e59a29f94aebe34e670556dddbd5165271e
Opcode Fuzzy Hash: ba3ac9388d48d1d0907abc59679f8125cf5a58857ce11d2f015c82d4c6e0e3dd
Instruction Fuzzy Hash: 9D118E76544280CFDF06CF58D5C4B15BF61FB84314F28C6A9D9098B266C33AD55ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0189D6AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2664546844.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_189d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: cec8a66b76e7ed56c3a0dc48a991e9731fa8e9f95a52b836561d0a5684b3fd75
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 8A119D79504280DFDB06CF54D5C4B19BFA1FB84318F28C6AAD8498B656C33AD54ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0189E1D7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2664546844.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_189d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction ID: 2587cad7e3cf9be843d11ed2255abe44f6d396b4bed261ff2c204cd59b7f284d
Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction Fuzzy Hash: B011E0B5504280CFDB16DF68D5C4B25BFA2FB44314F28C6AED8498B692C33AD54ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 0189D0E7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2664546844.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_189d000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction ID: 682579c71eb5362222ae646aaabb6e58dc974a637de1f6bbdc35a98e0decab36
Opcode Fuzzy Hash: a92e343b2ec8107a1b7e7b4a0bdf893b5718a373afcbc14ce15bd6b9ac5bef1e
Instruction Fuzzy Hash: 3311CEB65046808FDB16DF18D5C4B15FFB1FB84314F28C6ADD8498B652C33A954ACB52

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 7668, Parent PID: 7924COMMON

Executed Functions

Function 01044F58 Relevance: 11.8, Strings: 9, Instructions: 600COMMON

Download Yara Rule

Strings

(oq, xrefs: 0104586F
(oq, xrefs: 0104589B
(oq, xrefs: 01045655
(oq, xrefs: 010451F9
(oq, xrefs: 010451CD
(oq, xrefs: 01045056
(oq, xrefs: 01045082
(oq, xrefs: 010455CF
(oq, xrefs: 010455A3

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$(oq$(oq$(oq
API String ID: 0-1155985100
Opcode ID: 643e27879888e4d235ac5cbc277edb72a3deb606149c149133b786a412c39537
Instruction ID: 5f0e5b24cfe5fc403161308fc21323cb3c4158465a72649bbef5f34aaeff4da2
Opcode Fuzzy Hash: 643e27879888e4d235ac5cbc277edb72a3deb606149c149133b786a412c39537
Instruction Fuzzy Hash: D432A174B002188FDB54DF69D8986AEBBF2BF88300F258169E505EB365DF349D42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01043750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON

Download Yara Rule

Strings

(oq, xrefs: 01043820
(oq, xrefs: 01043786
(oq, xrefs: 010437B2

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3965398577
Opcode ID: ee32233ee28f7a5ded88d02b73edb47d7f6cc2bb09ba67390ca9dca321957d16
Instruction ID: 1593f983ed0d23468d5f90d5e3265f1e5e43348bb317811a2b43591c57ac5533
Opcode Fuzzy Hash: ee32233ee28f7a5ded88d02b73edb47d7f6cc2bb09ba67390ca9dca321957d16
Instruction Fuzzy Hash: 56217D357041A44FD32AAB3A181403E7BEBEFC9350319426AE505C77C5DE288D0783D6

Uniqueness

Uniqueness Score: -1.00%

Function 01043BE0 Relevance: 3.0, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

(oq, xrefs: 01043DE5
(oq, xrefs: 0104419C

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq
API String ID: 0-3207256227
Opcode ID: 70fb1d500474d6ea6aad2ef047ce332d8f3c8ddc9f39c06f499d2716edd24d2f
Instruction ID: ec93a0b5afcf20faf04a4dd6f5ffaee097d35988d859aa004818bb65c3366804
Opcode Fuzzy Hash: 70fb1d500474d6ea6aad2ef047ce332d8f3c8ddc9f39c06f499d2716edd24d2f
Instruction Fuzzy Hash: C0F17F74B002148FDB05EB69D99466EBBE7AFC8300F148469E506EB3A9DF35DC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0104385A Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

(oq, xrefs: 01043BA1

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: b1c84a1466e002ef7809171d13eb1cdbda458a07adb75af0fba3fde7782a4e45
Instruction ID: c92dba37bb1c93a8fa2ecf4c550107c776c368a7ccaef991c3f232034575ce1d
Opcode Fuzzy Hash: b1c84a1466e002ef7809171d13eb1cdbda458a07adb75af0fba3fde7782a4e45
Instruction Fuzzy Hash: 56C14274B00228DFDB05DFA9D954AAEBBF6BF8C310F104169E905A7369DB359C42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0104BEAF Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0104BF75

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: f702d1fdf17b9997b4eceae44eaa8cc6331f07e39b464c021710468f4e44613d
Instruction ID: 72037e7b89bcee76f25c5394179f56fb9de4237e5c6b8e3f2fdac6383f3e46d9
Opcode Fuzzy Hash: f702d1fdf17b9997b4eceae44eaa8cc6331f07e39b464c021710468f4e44613d
Instruction Fuzzy Hash: E94180747002018FC754DF2AC898A6EBBE6FF88710B2580A9E505DB3B5CA74EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 0104BEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0104BF75

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: eb806362b987140ed36e7bf5d20880ead36723678d31cea9b0932ec1715499e4
Instruction ID: 2d72cfe2ac96263b56a0c4f9fd366b83c6396062e7fabdb85e077ce1df43bd0b
Opcode Fuzzy Hash: eb806362b987140ed36e7bf5d20880ead36723678d31cea9b0932ec1715499e4
Instruction Fuzzy Hash: CC4170747006118FC754DF6EC898A6EBBE6FF88710B2580A9E506DB3B5CE75EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 01042B10 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

LRkq, xrefs: 01042B35

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: ded3008b4f6b886470b11322b8bd6fe852d9c7ba49555e36feba9b3aee04c592
Instruction ID: 80716d8ae47f14a3c6bb8b19632cda11c3082e503e600d2feb54bb35a67b1e2a
Opcode Fuzzy Hash: ded3008b4f6b886470b11322b8bd6fe852d9c7ba49555e36feba9b3aee04c592
Instruction Fuzzy Hash: F53109347002158FDB4AAB35D55496E33B6EB89A14B2181B9E10ACB3A9DF39DC43CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01044237 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

(oq, xrefs: 01044295

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: 6de02cc80166fc2b9907f4b07b91ef71e351fccb55e001007073c85bc7d31486
Instruction ID: 0a4d16c5c738f4e899354a18a2d810cd33e230b6531b8a56a19a91540975660c
Opcode Fuzzy Hash: 6de02cc80166fc2b9907f4b07b91ef71e351fccb55e001007073c85bc7d31486
Instruction Fuzzy Hash: E01144317082904FC3069B7968292BE7FE2EFC221075941AFD481CB76ACE299D4AC791

Uniqueness

Uniqueness Score: -1.00%

Function 01041049 Relevance: .8, Instructions: 841COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c132bd6f66c89b8b9478c7e7f786de4f4959c7b95f71b31fde5eb31c4cc12b0e
Instruction ID: 7e8fe45f9feb200ac3dd53e66408545c5ebf80311216508577faddc2bc4e7162
Opcode Fuzzy Hash: c132bd6f66c89b8b9478c7e7f786de4f4959c7b95f71b31fde5eb31c4cc12b0e
Instruction Fuzzy Hash: 8982117C640219DFDB06EBA5D654B6E7B77EB8C300F204914A901333ACCB36A996DB35

Uniqueness

Uniqueness Score: -1.00%

Function 01041058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef57222c806dcc8bff53eda9adaffb5ee1ac9c125631a4565814ab18869dc6ba
Instruction ID: 28e35e7dae6fec641fcca126f12355bd13f846f37883302bbce856a1fc8c7aec
Opcode Fuzzy Hash: ef57222c806dcc8bff53eda9adaffb5ee1ac9c125631a4565814ab18869dc6ba
Instruction Fuzzy Hash: 0A82117C640219DFDB06EBA5D654B6E7B77EB8C300F204914A900333ACCB36A996DB35

Uniqueness

Uniqueness Score: -1.00%

Function 0104B0B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d040681877d32a7282eff729a4893fbd17011c256b08c70f19bacfe2a916ef
Instruction ID: e5ed3fa8edd51f440ebcca7e0e3b924060e60674301fd09ace573c270162e882
Opcode Fuzzy Hash: 95d040681877d32a7282eff729a4893fbd17011c256b08c70f19bacfe2a916ef
Instruction Fuzzy Hash: A5525C38A01210CFCB19EF29E59896D7BB6FF88301B5585B9D5068B369DB35EC92CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0104AF90 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aabc52171f1ee26cd5dfbca0ba62e3e171fa78d444d8aa366a104629c7a235f0
Instruction ID: 5ca80f141a1dc81a5fd673aa0193d77486d21e379b939447b116b7e63eed0111
Opcode Fuzzy Hash: aabc52171f1ee26cd5dfbca0ba62e3e171fa78d444d8aa366a104629c7a235f0
Instruction Fuzzy Hash: FD61E46194E3D04FC707AB3999A1199BF75EF83214B0A41EBC081CF1B7EA64984CC7E6

Uniqueness

Uniqueness Score: -1.00%

Function 0104C060 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0405244766ad10bd965f114be3e2d78b399e72549602fad4e89b656407d7e367
Instruction ID: 10255cae3d9567f8f501b2b57fd495ad7389e44db9a096f9631259075baae63c
Opcode Fuzzy Hash: 0405244766ad10bd965f114be3e2d78b399e72549602fad4e89b656407d7e367
Instruction Fuzzy Hash: 257127716406409FC355DB25CA5155BFBA2FF84304314CA3E958B8BB69EF72F94A8BC0

Uniqueness

Uniqueness Score: -1.00%

Function 0104C070 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c306b37a9d715a7fd7a4871a05838a7719fd3ff39953e5338c3326e0e806e0f6
Instruction ID: 689da36026036dbbe0e0ed75b90c35344b6a0f30a4c2475d887b91eb501f48a5
Opcode Fuzzy Hash: c306b37a9d715a7fd7a4871a05838a7719fd3ff39953e5338c3326e0e806e0f6
Instruction Fuzzy Hash: 367117716406009FC355DB25CA5155BFBA2FF84304311CA3E958B8BB69EF76FA4A8BC0

Uniqueness

Uniqueness Score: -1.00%

Function 0104BB99 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97805fb83dc72bf687b15e0747783676c59948e374ddf27d80be26874abde275
Instruction ID: 0ec614a34dbb2a921b201f4ad2cb91e7d726ad73286cd071becc063f02f2c7f3
Opcode Fuzzy Hash: 97805fb83dc72bf687b15e0747783676c59948e374ddf27d80be26874abde275
Instruction Fuzzy Hash: 70810CBC501215CFCB11FF1AE689D19BBB2FB88301B25C6A8D5058B629C774EC9ADF40

Uniqueness

Uniqueness Score: -1.00%

Function 01045A91 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5b9292dc3d22804bee91080369166e6ca15cf32be1d5e789da97c3b7e1b8e4
Instruction ID: 7055f19a3f18993ca5cb6fb4bd879542c526b6ac81041d0340dde2d8524613e8
Opcode Fuzzy Hash: ea5b9292dc3d22804bee91080369166e6ca15cf32be1d5e789da97c3b7e1b8e4
Instruction Fuzzy Hash: 56512CB5B002068FCB44DFA9D998A6EBBF6FF88310B1141A9E505DB366DB30DC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0104C798 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba39e966ce4a5492dc23f2fe731f428a44191a78491b427d93cec246cddd60dd
Instruction ID: 6a248c1ab38d0cb37f9571b6d8549eec4478444405dae8705cd0ecc6f0c0670b
Opcode Fuzzy Hash: ba39e966ce4a5492dc23f2fe731f428a44191a78491b427d93cec246cddd60dd
Instruction Fuzzy Hash: B951E4716406409FC365DB25CA5145BFBE2EF85304315CA3EC18A9B765EF36FA4A8BC0

Uniqueness

Uniqueness Score: -1.00%

Function 01045240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a56b0cb48e2f6dbb932bb5f0ce4f86e11cddacf31beaabc7764b3600816857
Instruction ID: 80961e01671a1197d770b9bab2011718f639d44e3a36fee9e462baa4e2167b12
Opcode Fuzzy Hash: a0a56b0cb48e2f6dbb932bb5f0ce4f86e11cddacf31beaabc7764b3600816857
Instruction Fuzzy Hash: F6513EB4A00218DFDB14DFA9D994AAEBBF2BF88311F148179E545AB364DB349C41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0104C353 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0225792a403c5b1165fcd8eb94e866ffc1c175be2b7698bd4ab654218681d9
Instruction ID: e6407041056398213e86dd478b1254aa770c572a61a2da0f18068db7a5c45a91
Opcode Fuzzy Hash: 6d0225792a403c5b1165fcd8eb94e866ffc1c175be2b7698bd4ab654218681d9
Instruction Fuzzy Hash: DA417DB25093804FD706CF78C6A019ABFE0FE4121434499BEC4C6CF656EA21E50BCB91

Uniqueness

Uniqueness Score: -1.00%

Function 0104C988 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afed649b2ea52e204c1fb5f3abcef9e0107426deafa935094ef0aa6489931c85
Instruction ID: 4a8d164b413ebca5a328bb3d1524a4c5980343a7d3693f7fa4b43256b5bfc3a1
Opcode Fuzzy Hash: afed649b2ea52e204c1fb5f3abcef9e0107426deafa935094ef0aa6489931c85
Instruction Fuzzy Hash: D3418172541644AFC355DF78CA4109ABBE1FF893103108A7EC08A8B665EB32F94ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01042850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a42bdf218b21d8ec2ecf590c33a49f96e5f4816eda4f5ef088c9cb7fdd28f4
Instruction ID: 1384ff11367a9d6b26049fc1383835a2db0dbd483a6f96c0427b9bd14fcc08cc
Opcode Fuzzy Hash: c4a42bdf218b21d8ec2ecf590c33a49f96e5f4816eda4f5ef088c9cb7fdd28f4
Instruction Fuzzy Hash: 2A41EB74A10218CFDF14DFA5E98499DBBF2FF88340F144569E911AB368DB359885CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01045308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d2f880ab1c8b941b6202166f6e8c162cd22ffeaa6f30f2b15de9090c986a34
Instruction ID: fcfa0d0e2ccc22901cb01a1d79e81381ef11e3b08ae99c314c8830cac9209b19
Opcode Fuzzy Hash: 92d2f880ab1c8b941b6202166f6e8c162cd22ffeaa6f30f2b15de9090c986a34
Instruction Fuzzy Hash: 9341EA74A00118DFCB04EFA5E9949ADBBF2BF88311F108165E945AB369DB349D42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01042842 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fe3b61ef30edc77265b8a2c40f4a14ade097440991a8b6430a0097c9391645
Instruction ID: 2ea8fb75b7e723dfd31def7db00c316df7835e2d4b677a96fc551950f9894f8c
Opcode Fuzzy Hash: 49fe3b61ef30edc77265b8a2c40f4a14ade097440991a8b6430a0097c9391645
Instruction Fuzzy Hash: 8D312B74E10208CFDF14DFA5E5885EDBBF2FF88340F14456AE501AB268DB359886CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01042C48 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008939edbd90dbe13615ad31131710ccc0406f4f5602318858e1126cc4097941
Instruction ID: 1777eab73f1a8d577004572f91e052ab8ccdf6b20c292cbf2ed079e2b376c0e1
Opcode Fuzzy Hash: 008939edbd90dbe13615ad31131710ccc0406f4f5602318858e1126cc4097941
Instruction Fuzzy Hash: 20413B78A00219CFCB04EFA9E5845EEBBF1FF48314F104269E515A7369D7349986CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01044B50 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588e53c73f1d38d26d51afabba5af7958315b946a9c6b30b012a43692597537e
Instruction ID: 432696e569a4f78ceff7a169e00080ed8ce732c0c124fa8c913384d136af60b2
Opcode Fuzzy Hash: 588e53c73f1d38d26d51afabba5af7958315b946a9c6b30b012a43692597537e
Instruction Fuzzy Hash: 3B2107302043415FC715EB79EC98A6EBBE2FFC4310B048A39D0058F369DB74AD4A8B95

Uniqueness

Uniqueness Score: -1.00%

Function 01042C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b2e5cbece94f056bed120ff0e98e6de527618c16f3e486760264d0a7e53044
Instruction ID: 86193e762a76f46a93d4eee4075c3c70b4edee6714096e98af4305a97f0338ae
Opcode Fuzzy Hash: b6b2e5cbece94f056bed120ff0e98e6de527618c16f3e486760264d0a7e53044
Instruction Fuzzy Hash: 8B3119B8A00219CFCB04EFA9E5845AEBBF5FF48314F104265E515A7369DB349986CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0104288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24246611707c4ee9cf0865752c564069201bb78098f8e7f48cbd6dca97994b8
Instruction ID: 48188b183d7d975c62c9c2e3ad8763f54746be965041b669c1e04775a133e15e
Opcode Fuzzy Hash: a24246611707c4ee9cf0865752c564069201bb78098f8e7f48cbd6dca97994b8
Instruction Fuzzy Hash: 49311E74A10218CFDF14DFA5E5846ADBBF2FF88340F14416AE901A7368DB345885CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0104CEC0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6edade774047656798a84352949f0a5b3f85be95157cbd8a9a83d25e3e1a72f
Instruction ID: 3de5945399dd4a2778369dc0369fd6f7a9a66c63973446841b1de5c8b1f45201
Opcode Fuzzy Hash: b6edade774047656798a84352949f0a5b3f85be95157cbd8a9a83d25e3e1a72f
Instruction Fuzzy Hash: A4216BB1C41218DFEB25CFA9D68879EBBF1FB49310F20846AE446A7340CB755988CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01044B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746830c88e2bd252e16abe67dc8ad9cec94a767198424e907ac48ef0326517e3
Instruction ID: 0f994a10305766c3ac0d49c037a62845cec73cd1f4a4df8b0a117743f466c330
Opcode Fuzzy Hash: 746830c88e2bd252e16abe67dc8ad9cec94a767198424e907ac48ef0326517e3
Instruction Fuzzy Hash: CF2193302002015FC714EB7AED88A6EB7A6FFC4314B448A38D4168B369DF74BD898BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0104CED0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cafa96ff81ef481fb4ad49b5823839c6f804f29725820f70ddee171e560e64
Instruction ID: f38811c7402ddc1d373212ce47bbc00704e3e3108d2244b17d190cfc1308b6e0
Opcode Fuzzy Hash: 59cafa96ff81ef481fb4ad49b5823839c6f804f29725820f70ddee171e560e64
Instruction Fuzzy Hash: 29216DB4D41218DFDB25CF69C68879EBBF5BB48310F20846AE846A7340CB759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01042908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ca9d52a52815983a92985aeb6a08692ea114154cf9f84930752c616d2d9eda
Instruction ID: 81c4562eeb48f66aba334bf0f56790d3413c7d5064a87c7c52ad6403ad898c50
Opcode Fuzzy Hash: 60ca9d52a52815983a92985aeb6a08692ea114154cf9f84930752c616d2d9eda
Instruction Fuzzy Hash: F821D878E10118DFDF14DFA9E9849ADBBB2FF88340F108125E915A7368DB349846CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01045C42 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d3605da459367f84de622fd90cb8eff525bfc02c4df2fe11fe70ccea7ed3ab
Instruction ID: 88982d8c39ed94cef5ba5b323290257189e0f285ebee2c9698e789367f5d6c40
Opcode Fuzzy Hash: c6d3605da459367f84de622fd90cb8eff525bfc02c4df2fe11fe70ccea7ed3ab
Instruction Fuzzy Hash: DC21BE71E002488FDB51CBA9C988BDDBBF1AF48310F2401A9D541FB3A5CB799D41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01045C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf4c2af055ae3ef614453e3acc0d5cc4b2b558ea9f10ce6708cca3002a78cb9
Instruction ID: 533e3338099dc53252b0311009dcb5b27c84b13fdc79578da28d55c1d8fab4c8
Opcode Fuzzy Hash: cdf4c2af055ae3ef614453e3acc0d5cc4b2b558ea9f10ce6708cca3002a78cb9
Instruction Fuzzy Hash: 13216A75A002188FDF10DBA9C988BDDBBF1AF4C310F2000A5E545BB365CB35AD44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0104296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a79641346426d854ee5c889e7378fa0cd0b7d5ce30bef5e9135dcab49726e4
Instruction ID: 5d37e967bb82b7297491a81371e9ddd27b73171e9a76a025fc9fe3cbcb7d925a
Opcode Fuzzy Hash: 50a79641346426d854ee5c889e7378fa0cd0b7d5ce30bef5e9135dcab49726e4
Instruction Fuzzy Hash: FE21B578A10218DFDF14DFA9E98499DBBF2FF88340F204169E915A7368DB34AD85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01046888 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795a15fc84a06c99b2cc52a47867afb636f4890c0ba0f748cf545b49ac8ff265
Instruction ID: 0bf36b4d46e6620195b6aac44098521fe9908a055ed2820f069a72fe3aa8e6db
Opcode Fuzzy Hash: 795a15fc84a06c99b2cc52a47867afb636f4890c0ba0f748cf545b49ac8ff265
Instruction Fuzzy Hash: BC1190B5900246DFDB10CBA4CA887EDBBF5AF46300F148579D441A7262EBB78E04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010441A2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9878c792f26e6aeae35d527e8faec17153657451a6f4e6abf9743d979e329a1b
Instruction ID: 51606477b7776cd1e2d5b876c4d11e9a6457dc6186abaabdb37a3e1611489f5d
Opcode Fuzzy Hash: 9878c792f26e6aeae35d527e8faec17153657451a6f4e6abf9743d979e329a1b
Instruction Fuzzy Hash: BA0128317093845FC705AB755C680BE7FBAEFC621076540AFD401DB346CE251D0AC765

Uniqueness

Uniqueness Score: -1.00%

Function 010432E0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee8fc20d21249dbe1d49f30a1279ee52f718716c5c90851af24d17c0a8c8996
Instruction ID: c7f6a76bceef99489b2cb6231abdd065b44a13a7df20ea773157cc45021ebc79
Opcode Fuzzy Hash: 9ee8fc20d21249dbe1d49f30a1279ee52f718716c5c90851af24d17c0a8c8996
Instruction Fuzzy Hash: 70110C34A10214CFCB54EFB4F49DBAE7BF2AB98311F008469E842AB345DB755845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01045911 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd7cfa81281aed3a3877ec37d31454f39404d637db2c01818488bf9c8d363af
Instruction ID: ef791ae99c9cf16b3c5eec0d4e841e8fdf005b002887be9e0c8bb87cc398c8a6
Opcode Fuzzy Hash: ebd7cfa81281aed3a3877ec37d31454f39404d637db2c01818488bf9c8d363af
Instruction Fuzzy Hash: 1B01DFB27002409FC3168B79E898AA97FA5EB9A36131541AEE405CB356D6358C01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0104C000 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197b6e7fbf67abf38d5829016054a909b46092ef469a00623fd162145065ac43
Instruction ID: 85187cac310165753e6091ed4ad61b0d8efbebfe8f3f51f913d240f0dc9f04cc
Opcode Fuzzy Hash: 197b6e7fbf67abf38d5829016054a909b46092ef469a00623fd162145065ac43
Instruction Fuzzy Hash: 9511C0347405558FCB10EF29E988989BBB1FF89714B0182A9E105CF336CB31ED05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 01045940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2baac2f8ff5dda88e2fc9769fb02f763773d61f6b98769c5a8cf2a1bfc0797d1
Instruction ID: 404102c00632c618c7d0eaeedc4e6a8291bcd9921a1150b9b0176d4d8edb02af
Opcode Fuzzy Hash: 2baac2f8ff5dda88e2fc9769fb02f763773d61f6b98769c5a8cf2a1bfc0797d1
Instruction Fuzzy Hash: D001A4763001248F8714EBAAF89C82EB7EAFBC9666310457EF605C7305DE31DC0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 01042A80 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819e2216f88744e741b5bb1fed2591cf946134e854e8f62abf335d1e9a97ea14
Instruction ID: 786bc26cb2af34f323717fcd76df63f3e34e23fbb59c87effcfa547eaf427443
Opcode Fuzzy Hash: 819e2216f88744e741b5bb1fed2591cf946134e854e8f62abf335d1e9a97ea14
Instruction Fuzzy Hash: C1018C706507008FC321DF38D4084AA7BF1FF8121031189AAE196CB365DB78EC048F80

Uniqueness

Uniqueness Score: -1.00%

Function 010432F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df279b78819a62762f30340aadc430ce1049ee0f17038bb7b017ef1533220489
Instruction ID: 8b815d5c7980a6cba22436ed1cec5e88e24c5957382050005dfe42f89edd40b2
Opcode Fuzzy Hash: df279b78819a62762f30340aadc430ce1049ee0f17038bb7b017ef1533220489
Instruction Fuzzy Hash: 3E010C38A102448FDB14EBB5F46CBAE7BF6AB8C311F004469E942AB389DF755845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01046388 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9406e4b9dc76aa72e13ff2ecfa00e779ee628509ba9aaa645fb70de375b4962
Instruction ID: f9fd69b7e5a0d1a6fceb2da710e7b4331d9e62ac5eb83225179074a0aa715596
Opcode Fuzzy Hash: c9406e4b9dc76aa72e13ff2ecfa00e779ee628509ba9aaa645fb70de375b4962
Instruction Fuzzy Hash: 5BF0CD70D00348EFCB40EFB8E9494ACBFF1EF9A200B1181E9D408EB255E6304E45DB42

Uniqueness

Uniqueness Score: -1.00%

Function 010441E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713b71e9da17866374cd8bd75b1bb3cfce284ed81688ecf8152402a20a86825e
Instruction ID: 084b61b8c81848f8b34c0b0d1c968a41a82335558cc11e14abf4ea18197e6915
Opcode Fuzzy Hash: 713b71e9da17866374cd8bd75b1bb3cfce284ed81688ecf8152402a20a86825e
Instruction Fuzzy Hash: EBE0ED713042042F8718A7AABC5D97F77DEFFC82647A40429F609D7348CE252D0143A9

Uniqueness

Uniqueness Score: -1.00%

Function 01042D92 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbabbfad697e4f63e822d6d9460eb82ceaede3d36a78eba19a6968130d18eeff
Instruction ID: 5adebce90836632860276de1260b1c861379b1a6791118e3e36a5df69cdfc5cc
Opcode Fuzzy Hash: dbabbfad697e4f63e822d6d9460eb82ceaede3d36a78eba19a6968130d18eeff
Instruction Fuzzy Hash: 42F03470E20229CFCB94EFA8C54A5DDBBF0EF48310B1144AAE509E7221E7718D018B96

Uniqueness

Uniqueness Score: -1.00%

Function 01041FF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c396ae7760942882c373e1bb47089baaed49aeb5c4012185b0f3ee52032cc82
Instruction ID: 789c084447ce05c5e84bf3697a3fe38507d8a0575e0ef89fcd6a1f4269e7dafc
Opcode Fuzzy Hash: 5c396ae7760942882c373e1bb47089baaed49aeb5c4012185b0f3ee52032cc82
Instruction Fuzzy Hash: 20E06D346403518FCB659B79E0588997BE5EFC632131144BAE046CB321DA758C52CB21

Uniqueness

Uniqueness Score: -1.00%

Function 01046398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efaa842447de3260311f165486a157d5db1dcdf770783ccf6d55a5540f94954d
Instruction ID: d07de0f5cd82b23e41cb0033dcd9b0debb4cee8eff35e970cdfb4a0a87c271c3
Opcode Fuzzy Hash: efaa842447de3260311f165486a157d5db1dcdf770783ccf6d55a5540f94954d
Instruction Fuzzy Hash: F8F01C74A0024CEF8B40EFA8E94996DBBF5EF88200F5041A8A909E7355EA306F45DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0104CFE0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f1d0311b5ad9ab036a976baadf5b54af16a1ef9c2ab6564fe2778ade100141
Instruction ID: 6c816adcac6299a00bdf6e0161999aeaaedb9415aac8fbc9756270c42ead63d5
Opcode Fuzzy Hash: 25f1d0311b5ad9ab036a976baadf5b54af16a1ef9c2ab6564fe2778ade100141
Instruction Fuzzy Hash: 8FE0ABB08CE3444BFB3602866A443343F441B12304F4680FBE4C6072E1C2EA48CDC740

Uniqueness

Uniqueness Score: -1.00%

Function 01042DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f17d7a259a6289c74227bb753ed050fb93b95633f9d67fd5219b3966494e39
Instruction ID: 7d7b79852089a3878bb2ebf430f3682cbcef743a41b5995d68b905c47cc4d3a0
Opcode Fuzzy Hash: e4f17d7a259a6289c74227bb753ed050fb93b95633f9d67fd5219b3966494e39
Instruction Fuzzy Hash: A9E0C971E101188F8B84EFAD95096DEBBF5EB48210B5140AAE559E7351EA709E018B91

Uniqueness

Uniqueness Score: -1.00%

Function 0104374E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c028521962c75e4522773f759e858c8331c56aab064def6ac27d3b3bc5ce44c
Instruction ID: 0e27de7dbaf5028743e02b3a302fc5c4d92c1169a3491e96600b762b2a28f259
Opcode Fuzzy Hash: 7c028521962c75e4522773f759e858c8331c56aab064def6ac27d3b3bc5ce44c
Instruction Fuzzy Hash: 81E0CD75B001244B8779D62960445BE67E7BBC83A1B18413AFD49C331CDF344C038790

Uniqueness

Uniqueness Score: -1.00%

Function 010466C8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804c90f60f130736172ad7bf570fbb3b5083ac52c28b7f798d430ca0e0dc29dc
Instruction ID: 9926e3489478665f2102f0b13d7572ea20a6bdbcd97b3b0e6e8c92b0d42d2972
Opcode Fuzzy Hash: 804c90f60f130736172ad7bf570fbb3b5083ac52c28b7f798d430ca0e0dc29dc
Instruction Fuzzy Hash: 59D0A93231002013C3052A7CB818AEA33C2DFCA212B4A023BF204DB309DE998D421381

Uniqueness

Uniqueness Score: -1.00%

Function 01046469 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a45ec5b6928a4e3a25ffd1780a6fa09b165ef95f9ffd48be8bf96b7fd3b4d8
Instruction ID: 71828b435d7b7b31e69cb663406a3e9f3b2fb7fbab1930da356ec344cde74588
Opcode Fuzzy Hash: 79a45ec5b6928a4e3a25ffd1780a6fa09b165ef95f9ffd48be8bf96b7fd3b4d8
Instruction Fuzzy Hash: 89D05EB5A442008FC709CB38E1848697BF2AB9D35171105BAE159C737ADA21CC82CA14

Uniqueness

Uniqueness Score: -1.00%

Function 01046478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf1cdcbb0c4571b7cad422466fe180c54d9c579960d1d23a4de46d0cc66ea696
Instruction ID: 8614fa7c72a37eb455a24dd6559b204fad0c0595f2a3914a7c60880d6d0f69c3
Opcode Fuzzy Hash: cf1cdcbb0c4571b7cad422466fe180c54d9c579960d1d23a4de46d0cc66ea696
Instruction Fuzzy Hash: 43C012743402044F8204DB5CD04482573EABB8C71035101A4E619C7339CE20EC82C658

Uniqueness

Uniqueness Score: -1.00%

Function 0104CAA0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfba5b29b6bbb98fcb1598646af986bda7629cb5d793b91b3d477c7e8e8f9e94
Instruction ID: 61876d6289893cb3dee5951ef13f4266dbea0b8357dce3d4f65b3e9432c45a2c
Opcode Fuzzy Hash: bfba5b29b6bbb98fcb1598646af986bda7629cb5d793b91b3d477c7e8e8f9e94
Instruction Fuzzy Hash: A9C012B16893C09FEB038B2106662943F309B4B224B5585D3D2C5894939160085AD211

Uniqueness

Uniqueness Score: -1.00%

Function 01045640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2437481676.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1040000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4ac50933af582a7b6c4dc294dc6bab63de44d5ea833e9c13c1d519f5f9f6e2
Instruction ID: b51ffc41925920902cc089bc5b02c3115d60305e5acb87496408db192dcb4151
Opcode Fuzzy Hash: 1c4ac50933af582a7b6c4dc294dc6bab63de44d5ea833e9c13c1d519f5f9f6e2
Instruction Fuzzy Hash: 36B02B3010020D6796101519FC0C5113F5EEB4001430001E4BD0806100BD23C4100180

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 7660, Parent PID: 7924COMMON

Executed Functions

Function 02724F58 Relevance: 11.9, Strings: 9, Instructions: 621COMMON

Download Yara Rule

Strings

(oq, xrefs: 02725056
(oq, xrefs: 0272586F
(oq, xrefs: 02725655
(oq, xrefs: 027251CD
(oq, xrefs: 027255A3
(oq, xrefs: 027255CF
(oq, xrefs: 027251F9
(oq, xrefs: 02725082
(oq, xrefs: 0272589B

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$(oq$(oq$(oq
API String ID: 0-1155985100
Opcode ID: 5fd79f2fb194a6af7e66c7e98919bf75ec557a8296005207137f5f2148ee4d52
Instruction ID: 86c682a4bdba907637fd5098a1a830b128f32691d419d5fe002b0197182c206a
Opcode Fuzzy Hash: 5fd79f2fb194a6af7e66c7e98919bf75ec557a8296005207137f5f2148ee4d52
Instruction Fuzzy Hash: 6A32B170B002288FDB08EF69D4546AEBBF6EF89310F148169D905E73A5DB34DD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02723860 Relevance: 4.4, Strings: 3, Instructions: 683COMMON

Download Yara Rule

Strings

(oq, xrefs: 02723BA1
(oq, xrefs: 02723DE5
(oq, xrefs: 0272419C

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq
API String ID: 0-3965398577
Opcode ID: 650db5e7be874948cf1c4c46c76d65a5f1d661c936783fccb992fbf86530b09c
Instruction ID: 0e1cb569e8bfda322d73551790a085b1ab0ba5ef968aca735b85742d89b45136
Opcode Fuzzy Hash: 650db5e7be874948cf1c4c46c76d65a5f1d661c936783fccb992fbf86530b09c
Instruction Fuzzy Hash: AD424F34B002149FDB05EF69D954A6EBBB7EF88300F148069E906A73A8DF39DC46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02721049 Relevance: .8, Instructions: 840COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c471ac084421a38983d11d50d28025759776238854f2d0ae5f95f182743b1e
Instruction ID: 3d365a2cc56167bb48b5b55b8642cc6e7a31f5bf18d05d00314bcb235cd36c7b
Opcode Fuzzy Hash: 23c471ac084421a38983d11d50d28025759776238854f2d0ae5f95f182743b1e
Instruction Fuzzy Hash: 04827078641209DFDB06EBA4D654B6E7BB7EB88300F104814E801337ADCB36AD96DB75

Uniqueness

Uniqueness Score: -1.00%

Function 027235F0 Relevance: 5.2, Strings: 4, Instructions: 196COMMON

Download Yara Rule

Strings

(oq, xrefs: 02723786
(oq, xrefs: 027237B2
(oq, xrefs: 027236B6
(oq, xrefs: 02723820

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq
API String ID: 0-1255004691
Opcode ID: 7f2ad3acae0c272ba12b3774460eef87aba79403bf017eb7ee8107d39f5f04da
Instruction ID: ea175a1e90ee1dda5d1c546b5a4d5d0f94c84b62310ef4ca8863204f73a93cee
Opcode Fuzzy Hash: 7f2ad3acae0c272ba12b3774460eef87aba79403bf017eb7ee8107d39f5f04da
Instruction Fuzzy Hash: 2A5135317041541FE719BB39682063F6BEBEFC5210728856DD906CB3E9DE28DD0B87A6

Uniqueness

Uniqueness Score: -1.00%

Function 0272B0B0 Relevance: 1.9, Strings: 1, Instructions: 680COMMON

Download Yara Rule

Strings

e9p^, xrefs: 0272B23E

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID: e9p^
API String ID: 0-2378208608
Opcode ID: 0ca94b2cc69098aa03ddc9991b55c48d57f0c3f01d9cacd790bd12426189d4a6
Instruction ID: cb4f01a29b128cda4cbc2341c7c6b19355887935e3cec44fc21f9ae7f7979dda
Opcode Fuzzy Hash: 0ca94b2cc69098aa03ddc9991b55c48d57f0c3f01d9cacd790bd12426189d4a6
Instruction Fuzzy Hash: B3524B38A02211CFCB19EF34E598A6D7BB2FF84705B548469D4069B3A9DB35DC86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0272BEAF Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0272BF75

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: d7d9f1279992e9543d71d38c0144bb637e9d1b629def43b796884c310a473d28
Instruction ID: 8746d195510cb565050d1baead36f7cea09185a1ffce5524ab638f7d7e2501cc
Opcode Fuzzy Hash: d7d9f1279992e9543d71d38c0144bb637e9d1b629def43b796884c310a473d28
Instruction Fuzzy Hash: 2E415B747006119FC754EF2DC498A6EBBE6FF89710B6580A8E506DB3B6CA71EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 0272BEC0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

Tekq, xrefs: 0272BF75

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 6e4c7276719721c92263bf7fa59f82bb72b864dfbd3abca539c8300037bc0654
Instruction ID: aa1ef789ab0c38dc5c100c0a36ccb282ce03c5c4df2671bca4076657daad69fd
Opcode Fuzzy Hash: 6e4c7276719721c92263bf7fa59f82bb72b864dfbd3abca539c8300037bc0654
Instruction Fuzzy Hash: 87311B747006118FC754EF6DC598E6EBBE6FF89710B6580A8E506DB3B5CA71EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 02722B10 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02722B35

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 388569337a32f368d0bb81f123bac20ea86cf2ad592ffd12e71a0023ac389616
Instruction ID: c6c0ff1e3d35c2617173d6af2a884800863f5d2b21de1966ead11282a5ec5797
Opcode Fuzzy Hash: 388569337a32f368d0bb81f123bac20ea86cf2ad592ffd12e71a0023ac389616
Instruction Fuzzy Hash: B2311C307012058FD71AAB39D550A6E37B6EB89A15B21817CD50ACB3B9DF35DC078B94

Uniqueness

Uniqueness Score: -1.00%

Function 02722B20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02722B35

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 9d72e477861f32f41f459eeaf1700a383ce4bfcae44c70afbfe0e367444bb746
Instruction ID: 419cace098aafc0c564fadbd344b7c9d55b0ce3ad98c563810de3219eb282272
Opcode Fuzzy Hash: 9d72e477861f32f41f459eeaf1700a383ce4bfcae44c70afbfe0e367444bb746
Instruction Fuzzy Hash: BA31F4307012158FD70AAB39D564A2E33A6EBC9A54B20817CD10A8B3B8DF36DC478B84

Uniqueness

Uniqueness Score: -1.00%

Function 02724248 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

(oq, xrefs: 02724295

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: d9fb628111e7eb76d444352da271598f61d36432e66d1b26ed2442fc8263c7c1
Instruction ID: e7c1a0536dcf2ae4052ff86272cef53e3e5634691a8c108a46c2f3c558e97f87
Opcode Fuzzy Hash: d9fb628111e7eb76d444352da271598f61d36432e66d1b26ed2442fc8263c7c1
Instruction Fuzzy Hash: 0C019C327082900FD306AB7D682462F7F97EFC261035840AED842CB395CE68ED4AC3D5

Uniqueness

Uniqueness Score: -1.00%

Function 02721058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9868cfe8b910256837f2491e70c6da5a1dcd3f440fd0e7d369ce5b0b5b116c94
Instruction ID: 88bd57e79aac633675b27135cbe191c515f16261f9b68285cdd3aef4ef5e5f98
Opcode Fuzzy Hash: 9868cfe8b910256837f2491e70c6da5a1dcd3f440fd0e7d369ce5b0b5b116c94
Instruction Fuzzy Hash: 1C826078641209DFDB06EBA4D654B6E7BB7EB88300F104814E801337ADCB36AD96DB75

Uniqueness

Uniqueness Score: -1.00%

Function 0272BB99 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0caff8b35adc8319a9f1fe54dbaba4fcff86e3bed7aeb0e59df0784f84d8357
Instruction ID: 43b93b3e2c70653b417cfb4808932f14a995b19f5ec14e861c2b8c172a5fc3fc
Opcode Fuzzy Hash: e0caff8b35adc8319a9f1fe54dbaba4fcff86e3bed7aeb0e59df0784f84d8357
Instruction Fuzzy Hash: 0D81F87CA02201CFCB1AEF24E699A19BBB2FB44704B15D569D5158B3ADC770E98ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 0272385B Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3391b9fdb5cdb4e1545feef59537190a435b68172e6edaa6ba89a126671f907a
Instruction ID: d12364d07752954354ff138eefc136c48e5acece82ed8b980781aba4e0dc55ba
Opcode Fuzzy Hash: 3391b9fdb5cdb4e1545feef59537190a435b68172e6edaa6ba89a126671f907a
Instruction Fuzzy Hash: C9612D74A01218EFDB05DFA4E994AAEBBB6FF88310F144069E905B7364DB35EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02725AA0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cfa63860e4604aa2bbbbea9254497803800d8dcde4636d4ea2ea27ffbad83c
Instruction ID: d7b15570769471237836a573c13fe668f29e4a536d54c32813484ca84260ff17
Opcode Fuzzy Hash: 23cfa63860e4604aa2bbbbea9254497803800d8dcde4636d4ea2ea27ffbad83c
Instruction Fuzzy Hash: 30511A75B002168FCB08DF69D594A6EBBF6EF88314B518068E506EB365DB30EC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02725240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302cb705e5011deec292d0276f47601603709ae175b59ef0ea82d139ca83561f
Instruction ID: bc5a08aad05fd1672bff059e522ebb00b6bab541acd9e354f26135623fe7cb2f
Opcode Fuzzy Hash: 302cb705e5011deec292d0276f47601603709ae175b59ef0ea82d139ca83561f
Instruction Fuzzy Hash: F6513A30A012289FCB18DFA5D584AAEBBF7FF88315F548069E805A7365DB34AD45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02722850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ab640fa2fbef4dcf413a39e9a53f1e45d3c1db1dbe135afc7ec9306431fa7d
Instruction ID: 849dec2a4421a50eb7e1a1fb37ce886b5d34514d6b8ce2214b8d01d90dbfdb56
Opcode Fuzzy Hash: e1ab640fa2fbef4dcf413a39e9a53f1e45d3c1db1dbe135afc7ec9306431fa7d
Instruction Fuzzy Hash: DA41F874E40218DFDB18EFB5E984AADBBB6FF88300F204529D905B7269DB359846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02725A91 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129a2692411362978fd6033bfa3290f4a51c0c1f915f91381a87b4146370a017
Instruction ID: c3aa8eac638abc7de0a606f03247a6774e2544b4e5e9242e16f840a4c8576f1a
Opcode Fuzzy Hash: 129a2692411362978fd6033bfa3290f4a51c0c1f915f91381a87b4146370a017
Instruction Fuzzy Hash: 43315C75B001068FCB04DF69D984D6ABBF5FF88210B5181A9E509DB372DB30ED06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02722843 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e5ec339e90463c82ccff10f87b1346d664e9274523eb5d3d2539b3661e6619
Instruction ID: bd87ef73e881f03332a54b0aa15a7434476d1d3e3296ab1b0d0737df7b314910
Opcode Fuzzy Hash: 76e5ec339e90463c82ccff10f87b1346d664e9274523eb5d3d2539b3661e6619
Instruction Fuzzy Hash: 63315070E40208DFDB08EFB4E984AEDBBB2FF88300F104529D901B7269DB75994ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 02725308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc81155f759e79dd33e599baee78510b8a85d1a252ce418462bd437e2b70c0f0
Instruction ID: dafccbb68d1d14eeff007ef7b5f76ed8373cc195c72bfb1f55a36cfb51f713c9
Opcode Fuzzy Hash: fc81155f759e79dd33e599baee78510b8a85d1a252ce418462bd437e2b70c0f0
Instruction Fuzzy Hash: 59410E34A01124DFCB09EFA5E5949ADB7B7FF88315F608069E805A7364DB349D46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02722C48 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9e51cd7c00b68c5937b79a6c4118cf51ed746ae0a27dfa8dc3392772c6c40c
Instruction ID: 459814a59c802e13118fc1cd5b0fd152457388aebe934a852783ea229f354e4f
Opcode Fuzzy Hash: eb9e51cd7c00b68c5937b79a6c4118cf51ed746ae0a27dfa8dc3392772c6c40c
Instruction Fuzzy Hash: 5E411C74900209CFDB09EFA4E984AEEBBB1FF48314F104569D905A7369EB359D86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0272B0A0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbd7ba125d22e85a48c2c4fcf12e1c5baef20c57504f711d9a81628bf0a65e1
Instruction ID: 209c5d789704ce1176fdbd8f1623c926b3e6b68b914f71f9a0db265ee436827c
Opcode Fuzzy Hash: fbbd7ba125d22e85a48c2c4fcf12e1c5baef20c57504f711d9a81628bf0a65e1
Instruction Fuzzy Hash: E531D730A002159FCB04EB78E9847ADBBB6FF85314F50852DD016AB3A5DF71AD0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 02724B50 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af284a3869b2bc0176cbc6ea6a098ea91e1f1b9ca5ed9b463a3e52ad69d51c0
Instruction ID: 6bb224a76644fe415f5a7d08069033d8f8f9a9ad8e79d78f03e0dad6c6c5ff71
Opcode Fuzzy Hash: 7af284a3869b2bc0176cbc6ea6a098ea91e1f1b9ca5ed9b463a3e52ad69d51c0
Instruction Fuzzy Hash: FF21F6312043425FC711EF78E850A5EBFA2FF81210B048A39D4568B3B9DB60AD4A87A5

Uniqueness

Uniqueness Score: -1.00%

Function 02722C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6013900b3da90c3fff6d782c7ddccf34772b1bd656689ba226565d7181a5a5
Instruction ID: a254a9010d53fd5ecfcd413eee93e0383105460b48353d0bf31bd0a665f2bb52
Opcode Fuzzy Hash: fe6013900b3da90c3fff6d782c7ddccf34772b1bd656689ba226565d7181a5a5
Instruction Fuzzy Hash: 7E31FD74900209CFCB09EFA4E5849EEBBB5FF48314F105529D905A7369EB359D86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02725698 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12d8be1781077b40d3da10461f7656556a0499e5f98c6569dd1cb48468ab56f
Instruction ID: 9bfb9467f704d46a8ab2c92afb114b7f1505190c313da469ea007f55b7fb48e5
Opcode Fuzzy Hash: c12d8be1781077b40d3da10461f7656556a0499e5f98c6569dd1cb48468ab56f
Instruction Fuzzy Hash: 3C21AD74B016149FCB18DF29D598A6EBBFAAF8C600F644069E806E7360DFB0ED05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02725C41 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2492875d6c251149391a34ecc10897a06770c8c32d943c813770a6da2b46bfba
Instruction ID: b87f05cb6353f44d64943ddbbf0a626733811c08b26cbd394f2e635b1c1e3dc7
Opcode Fuzzy Hash: 2492875d6c251149391a34ecc10897a06770c8c32d943c813770a6da2b46bfba
Instruction Fuzzy Hash: 7921AF71A042988FDB05CBA9C598ADCBFF1EF49310F555096D001FB362DB385D8ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 02724B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51838c237e5c8133727c91917da919c51ac40cc574805fd439af033fcdf99fef
Instruction ID: a2352706c74477a2e70fc48945d8fc8c56bc715a9e147d3e26093ba7a69e6e9f
Opcode Fuzzy Hash: 51838c237e5c8133727c91917da919c51ac40cc574805fd439af033fcdf99fef
Instruction Fuzzy Hash: 062184312403025FDB15EB79E990A5EBBA6FF80310B048A38D4168B369DF70FD4A87A5

Uniqueness

Uniqueness Score: -1.00%

Function 02726888 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7b9ffd82dfe0d6ea3e7106145165d2a7ec5ce495fce982097a8a3f31c03ff7
Instruction ID: 326268f9f22db78514188037709e6b396a010b340423522bd3b44b205f3531e6
Opcode Fuzzy Hash: da7b9ffd82dfe0d6ea3e7106145165d2a7ec5ce495fce982097a8a3f31c03ff7
Instruction Fuzzy Hash: 54218171D00229DFDB14DBA4CA487EEBBFAEF44304F10806AD045B7261DF759A09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02725C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adff693413c0898d635a82fb3d62953c2635aaf219149026aa1c1d00f155691e
Instruction ID: 177ff9f1a6847a12aa3831b4b1ba6fa961ef1d5b8243e310a1a07d9e14d1d271
Opcode Fuzzy Hash: adff693413c0898d635a82fb3d62953c2635aaf219149026aa1c1d00f155691e
Instruction Fuzzy Hash: A8213B35A002198FDB14DBA9C588BDDBBF1EF4C310F6410A5D505BB360DB759D84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 027241A2 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43840f3f607249be55bc272f40ef7722aa03e28a2208568739f63b03a4a28de5
Instruction ID: 16852aa6ae4a64afdcf8da21f148f002f4f4b0c720b1df603adf3798b31c8183
Opcode Fuzzy Hash: 43840f3f607249be55bc272f40ef7722aa03e28a2208568739f63b03a4a28de5
Instruction Fuzzy Hash: 5001283260C3851FD7066B7868215AF2FAAEF8621071540AFD915DB3E6CE245D078376

Uniqueness

Uniqueness Score: -1.00%

Function 027232E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aecc6b70acb0baa5a5d0843a6ab34c75045b048fd40c9dc00a36161bea4cd5b
Instruction ID: 0cc1b4bb56aae761414bfac5b6adb0a51e99cc7a78f53d27f62bc8565ed518a8
Opcode Fuzzy Hash: 9aecc6b70acb0baa5a5d0843a6ab34c75045b048fd40c9dc00a36161bea4cd5b
Instruction Fuzzy Hash: 0C119A34A143889BCB48EFB8F458BAE7BF6EF88311F004528CA4297391DF384816CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02725940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f794c058e8b96802dfd1af2f66e17e06f14185ff03145a6d77c3284397eaaae
Instruction ID: c15a3dae878ce3f749ad013c953b2b7e09c6cfe6bc52eba3bf183c326675d9b4
Opcode Fuzzy Hash: 7f794c058e8b96802dfd1af2f66e17e06f14185ff03145a6d77c3284397eaaae
Instruction Fuzzy Hash: B001A4763012109F9704AF6DF49492EBBAAFBC9665310853EEA06C7351CF31DC0287B0

Uniqueness

Uniqueness Score: -1.00%

Function 02722A80 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716b85410f9eea8882f8a513f0da882a53ef765d425ea1ee299355f9beeae22d
Instruction ID: 35195919bcc16500da39c45a2ae617ad2505b0ed19b113e8f12b430c060afa0f
Opcode Fuzzy Hash: 716b85410f9eea8882f8a513f0da882a53ef765d425ea1ee299355f9beeae22d
Instruction Fuzzy Hash: 9B019EB16007008FC311AF3CD505A9B7BE1FF81614B1589ADD599CB3AADB74EC058BE1

Uniqueness

Uniqueness Score: -1.00%

Function 027232F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee9dc688db3db34a95001eadf27bf81db1117f745b3dc8bccbd0bd464b8e870
Instruction ID: e4e80733b626599785528b156ae54efd412bec3c8a0ae0a529e60906102d816d
Opcode Fuzzy Hash: 3ee9dc688db3db34a95001eadf27bf81db1117f745b3dc8bccbd0bd464b8e870
Instruction Fuzzy Hash: B5012934A003489BCB48EFB4F458AAEBBBAEB88301F404429DA02D7381EF795C15CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02722A90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449820723182f39d9f06bf530b8e26957e55fd2f63ad9bc6352b580c0599aaa0
Instruction ID: a02a35b7b11af3781980f5ae6004978a6d777e9b608a8e41348e907a0f7faad6
Opcode Fuzzy Hash: 449820723182f39d9f06bf530b8e26957e55fd2f63ad9bc6352b580c0599aaa0
Instruction Fuzzy Hash: 12F069B16106008FC710AF7CC50598BBBE6FF84614711C96DE15ADB769EB75EC088BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02725610 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5814c1d2debed818c4330f5fd6de6fc98b7c693591d3dc38f930c976841ed58c
Instruction ID: df22a438b0a71f98282eab13eaa90605a4f5b03e85452f66db9561fcaf53689e
Opcode Fuzzy Hash: 5814c1d2debed818c4330f5fd6de6fc98b7c693591d3dc38f930c976841ed58c
Instruction Fuzzy Hash: 2EE0CDA55093415FD307073CBCE71D17F35EE1761831541C6D588C6113F51E8C5B4792

Uniqueness

Uniqueness Score: -1.00%

Function 02724237 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bbe5dcf119a9941a95d32abe282c959123da019187630d614d4ff77488dec8a
Instruction ID: 6859b8a3c71c80b3b60fbd22b708d404c41251e633a66afae5be7979c45bfec9
Opcode Fuzzy Hash: 6bbe5dcf119a9941a95d32abe282c959123da019187630d614d4ff77488dec8a
Instruction Fuzzy Hash: 24F059322043410FC3155B38A810B6E3B56EFC2620F09412DD8814B699CF649D4643D0

Uniqueness

Uniqueness Score: -1.00%

Function 02726388 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80492a5c6539171038c0f15f20d610eec2478a63d364f5fd76b7e341f2b14dd6
Instruction ID: d5d59c4f5a70c32bd0adb919452b67ddd90ebd7ac46bef3b292750c1f0398d29
Opcode Fuzzy Hash: 80492a5c6539171038c0f15f20d610eec2478a63d364f5fd76b7e341f2b14dd6
Instruction Fuzzy Hash: 27F0F674D01208AFDF00EFA4F84559CBFB1EF45200B1081A9D408E7256DA309F06DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0272593E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18880198b103c5902fd6d802d66b80560faff80c9b963cb581f24bd31435beac
Instruction ID: 7c323b443af4b47abff733b065a9360defe6ac861d3020e59b40241853f56475
Opcode Fuzzy Hash: 18880198b103c5902fd6d802d66b80560faff80c9b963cb581f24bd31435beac
Instruction Fuzzy Hash: 52F05E763012109F9704AF29F49496ABBAAEBC9665320806EEA09C7321DB31DC0287A1

Uniqueness

Uniqueness Score: -1.00%

Function 027241E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edef855313659e8033a3676ae00646c3c43e46ca3cbdf16d1fcd000d7a73570b
Instruction ID: c721874a25612f3e0d8ad287529957569f0a304edd957e174f5bfa7e9c166499
Opcode Fuzzy Hash: edef855313659e8033a3676ae00646c3c43e46ca3cbdf16d1fcd000d7a73570b
Instruction Fuzzy Hash: 4BE02B323042056FAB18AAAA7C51E7F779EFBC9260754442DF50AD7384CF217D0143B5

Uniqueness

Uniqueness Score: -1.00%

Function 02726398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6620dcc211a35a1d08fe2fd909ac8431e899ce8e499afd32c76de252a61cd958
Instruction ID: 3695a5f36d8122835eca9cf3ddb1cf799680a330bb6e74e6781d41e6b9d82543
Opcode Fuzzy Hash: 6620dcc211a35a1d08fe2fd909ac8431e899ce8e499afd32c76de252a61cd958
Instruction Fuzzy Hash: A4F08230A0120DAFCB04EFA8E94599DBBF5EF84200F5081A89904A7354DA306F05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 02722D96 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e5b59a01fec5ed8541ba936f0ef1d66fae0f4467fcbeed54749ee16ac93f7d
Instruction ID: fe506b2e4da9f6269e27e01303a16276fc6f31603d162f5eed9a9fe16a812feb
Opcode Fuzzy Hash: 34e5b59a01fec5ed8541ba936f0ef1d66fae0f4467fcbeed54749ee16ac93f7d
Instruction Fuzzy Hash: A8F08271E141198FC744EFBC84016DD7FF0EF49210B1142AAD959E7291E7308D028B91

Uniqueness

Uniqueness Score: -1.00%

Function 02721FF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df405857a768f6b698a03705b07ba882b98d59c3f863d3652d7c724d33bfc03
Instruction ID: 1ef292e12aaa8bf925d344adf3c206c5bdc201f1728fd51ac156249cd5307443
Opcode Fuzzy Hash: 2df405857a768f6b698a03705b07ba882b98d59c3f863d3652d7c724d33bfc03
Instruction Fuzzy Hash: C3E092757003444FC7165778E418B997FE9DF87125B0604EAE906CB3B2CE658C02C351

Uniqueness

Uniqueness Score: -1.00%

Function 02722DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331d62c012a6e5320df40d136e5a0a5c72ce34f72f79405ec39a79d9ee2bc511
Instruction ID: de1d55170bf90865e9e4f0ba65e619604b514de53a570c7cc991e68c6cd4399d
Opcode Fuzzy Hash: 331d62c012a6e5320df40d136e5a0a5c72ce34f72f79405ec39a79d9ee2bc511
Instruction Fuzzy Hash: 5CE0C971E141188F8B84EFAD95056DEBBF5EB48211B1140AAD619E7311EA709E118BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02722008 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847762c5a1b37e233d6982bbe5cded417d7cc4229a2185abb3a188b82abb51e9
Instruction ID: e2f9513b9d1a92842ca30dfe39d79ca1cc3d9e5b57a10c763597ba2b92891158
Opcode Fuzzy Hash: 847762c5a1b37e233d6982bbe5cded417d7cc4229a2185abb3a188b82abb51e9
Instruction Fuzzy Hash: E5D012357003148FCB14A67DE41C85A77EDDFC9561301046AE506C7320DD75DC0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 02726469 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3178624b7cdcdab0466680a11db9bf065cbb2135ef3759d886094248aad41199
Instruction ID: ff463b02846d5c7bf8274cfe8284663429624607c2061fc2ef01770e847eff94
Opcode Fuzzy Hash: 3178624b7cdcdab0466680a11db9bf065cbb2135ef3759d886094248aad41199
Instruction Fuzzy Hash: 31D05EBA7882004FD304AB18E0814607BB6EB9D614B1104A5E61DCB37AD920DC838705

Uniqueness

Uniqueness Score: -1.00%

Function 027266D2 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a534b621d30c7625c529a01be6b793b00bb750c5b0ded0c6bf6ca9032b47e56
Instruction ID: fef15843e4feff93924f1a9451cd96738e4da21c68c91263ca7bd4837cf420d0
Opcode Fuzzy Hash: 8a534b621d30c7625c529a01be6b793b00bb750c5b0ded0c6bf6ca9032b47e56
Instruction Fuzzy Hash: 06C08C33704020271904325C38440FC57CBCBCA961789007BF70AF3349CD50CE0313A2

Uniqueness

Uniqueness Score: -1.00%

Function 02726478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97a80a1ed7452ee2df14a4a90e5e690e16a4ff914a3480358e56f50461ed32d7
Instruction ID: e35fe276be0ae7be92c8ec106c202eb8d449a76e277bcd6aeb0bf4b60d2502a5
Opcode Fuzzy Hash: 97a80a1ed7452ee2df14a4a90e5e690e16a4ff914a3480358e56f50461ed32d7
Instruction Fuzzy Hash: 85C012353802044F8208EB5CD08081577EAEB8C71435000A4E619C7339DE21FC838618

Uniqueness

Uniqueness Score: -1.00%

Function 02725640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2557260360.0000000002720000.00000040.00000800.00020000.00000000.sdmp, Offset: 02720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2720000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ce1711b444951f584ede34bf8b02a6d20f7241325da9361d8b1e7d6d49a174
Instruction ID: 4ac88cc21dbbeeee8fe9cc4bf648f066aeff003dbfbfc4859d1a8a4cb0aa6ac7
Opcode Fuzzy Hash: 60ce1711b444951f584ede34bf8b02a6d20f7241325da9361d8b1e7d6d49a174
Instruction Fuzzy Hash: EEB02B3051030D5786000515BC084113B1DEB405183400294ED0800100AE23DC240080

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 6356, Parent PID: 7924COMMON

Executed Functions

Function 017C4F58 Relevance: 11.9, Strings: 9, Instructions: 610COMMON

Download Yara Rule

Strings

(oq, xrefs: 017C5056
(oq, xrefs: 017C55CF
(oq, xrefs: 017C5082
(oq, xrefs: 017C586F
(oq, xrefs: 017C5655
(oq, xrefs: 017C51F9
(oq, xrefs: 017C51CD
(oq, xrefs: 017C55A3
(oq, xrefs: 017C589B

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$(oq$(oq$(oq
API String ID: 0-1155985100
Opcode ID: b9c7481cc60c7a50704ed6b7bc82dd236a5078da7e0dc122c2498e848ad927e9
Instruction ID: 061eef356fc498563c1a287c048ae4d4fce5873f207ce42ab4e28d513ea9ccef
Opcode Fuzzy Hash: b9c7481cc60c7a50704ed6b7bc82dd236a5078da7e0dc122c2498e848ad927e9
Instruction Fuzzy Hash: 35328E74B002188FDB05DF69D5546AEBBF2EF88710F25806EE506EB395DB35AC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017C1049 Relevance: .8, Instructions: 840COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3004e7c3b2a004de251afb71bb1d66bca16e5fcbeb10e2b7a7a0f14c650176
Instruction ID: 24d92c10e0b8d17b787b98fcd16cee76f6f86fbbcea30dc066f4c8a3a7100106
Opcode Fuzzy Hash: 5b3004e7c3b2a004de251afb71bb1d66bca16e5fcbeb10e2b7a7a0f14c650176
Instruction Fuzzy Hash: 3E82B574640209DFDB06DFA4D654B6E7F7BEB88301F104468E801337A8CA7EAD95DB26

Uniqueness

Uniqueness Score: -1.00%

Function 017C3BE0 Relevance: 3.0, Strings: 2, Instructions: 462COMMON

Download Yara Rule

Strings

(oq, xrefs: 017C419C
(oq, xrefs: 017C3DE5

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq
API String ID: 0-3207256227
Opcode ID: 4a4162e5761d3577dc6f54584ce71207ca75e3364b32ac9bcfffbf60e776436d
Instruction ID: 7ff199da1fa4942c4e28cbf6792fcb7134928bac829d2b84763b1870d981087d
Opcode Fuzzy Hash: 4a4162e5761d3577dc6f54584ce71207ca75e3364b32ac9bcfffbf60e776436d
Instruction Fuzzy Hash: 1EF16D707002059FCB099F7DD954AAEBBBBEFC8700B148469E506E73A8DE39DC458B51

Uniqueness

Uniqueness Score: -1.00%

Function 017C3750 Relevance: 2.6, Strings: 2, Instructions: 50COMMON

Download Yara Rule

Strings

(oq, xrefs: 017C37B2
(oq, xrefs: 017C3786

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq
API String ID: 0-3207256227
Opcode ID: e9f69530f93ff0e057b617cf5850fd3110b206952980198ec733868c3f34373d
Instruction ID: 0f935a5981b5d3035bbf883ded53af6acb32574bca379297f0b693641a1226f4
Opcode Fuzzy Hash: e9f69530f93ff0e057b617cf5850fd3110b206952980198ec733868c3f34373d
Instruction Fuzzy Hash: 3901762AB040180BD7197A3E541423F2AEBEBD536076A862DE90AD33C4DE388C0743CA

Uniqueness

Uniqueness Score: -1.00%

Function 017CB0B0 Relevance: 1.9, Strings: 1, Instructions: 680COMMON

Download Yara Rule

Strings

e/q^, xrefs: 017CB23E

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID: e/q^
API String ID: 0-2356181987
Opcode ID: c539bc83174d12a1d8b09e8ad2adc5f9e4cdbcbf527778bfc484d8e18b016454
Instruction ID: 7d660549fbf8defcd27954210dbc197447f1387a84a6b90e2e63d4a69364206c
Opcode Fuzzy Hash: c539bc83174d12a1d8b09e8ad2adc5f9e4cdbcbf527778bfc484d8e18b016454
Instruction Fuzzy Hash: E0524730A01200CFCB29EF28E599969BBB6FB85702B64857DE8069B365DF39DC45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 017C385A Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

(oq, xrefs: 017C3BA1

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: f87ee57fd746d1821d8cb99a68f76194278bc96714f83b9fbda8c1bd5bc28cdd
Instruction ID: af9fb840db8aab7177bf2e19bddfe162c70c809cb4ea906af11b9f33d9a09754
Opcode Fuzzy Hash: f87ee57fd746d1821d8cb99a68f76194278bc96714f83b9fbda8c1bd5bc28cdd
Instruction Fuzzy Hash: 2CB13074B102199FDB05DFA9D954AAEBBFAFF88710F108029E905A7364DA39DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017C35E1 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

(oq, xrefs: 017C36B6

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: 60ef94fb4dfce1b8ece44c2a26aa242b0717b01756b30b99982e0d5554bef92b
Instruction ID: 74f59925dedc807d2166050062a65f74d1b3a31564ba67ff2af7620f82e8f8de
Opcode Fuzzy Hash: 60ef94fb4dfce1b8ece44c2a26aa242b0717b01756b30b99982e0d5554bef92b
Instruction Fuzzy Hash: 7141E3313001011BD719AA7DA85067F6BABEFC4660768843DD506DB3A8DE38DC4B8395

Uniqueness

Uniqueness Score: -1.00%

Function 017CBEAF Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

Tekq, xrefs: 017CBF75

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: c1159ebd37dc276eb3678bd5b884a6a2f16ae076db337699400c984d0ec739df
Instruction ID: d24817867ad80ef3edd5abd60581f19fa556ab6943cb73e99a0a559a2b0080d4
Opcode Fuzzy Hash: c1159ebd37dc276eb3678bd5b884a6a2f16ae076db337699400c984d0ec739df
Instruction Fuzzy Hash: 94415C747106019FC754DF3DC898A6EBBF6BF89710B6580A8E506DB3B5CA75EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 017C2B10 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

LRkq, xrefs: 017C2B35

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 0f172ab57b537d7db088db6ebc362b607fecef2810c0a1768cb804a92486f454
Instruction ID: 5fa2ebeaa09ea14de8eb224a543a394c29602e2a6c992ee3229acaa52a1a4bd6
Opcode Fuzzy Hash: 0f172ab57b537d7db088db6ebc362b607fecef2810c0a1768cb804a92486f454
Instruction Fuzzy Hash: D731ED757002058FD70AEB39D550A5E37AAEBC9A15B20917CD10ADB3B8DE7ADC438B84

Uniqueness

Uniqueness Score: -1.00%

Function 017CBEC0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

Tekq, xrefs: 017CBF75

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 351415dba3ff72f8322f27750ea0f7ad3c5cf5f1da0349d26f5f974820a9e164
Instruction ID: c847533c91424d8ba93b800fc135c1e2e8991c3eb547f397cd592f28f8edca5b
Opcode Fuzzy Hash: 351415dba3ff72f8322f27750ea0f7ad3c5cf5f1da0349d26f5f974820a9e164
Instruction Fuzzy Hash: 23313A747106118FC754EF3EC498A2EBBE6BF88710B6580A8E506DB3B5CE75EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 017C4237 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

(oq, xrefs: 017C4295

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: d56e1c697026c54924245b3f83d4e26e17b713ac79a6eef69b6ccfcb331e0888
Instruction ID: f19b5c0207d6a3732202a10b94e1f3af3dc9e1ca32cdc7cb4593a25754a7b823
Opcode Fuzzy Hash: d56e1c697026c54924245b3f83d4e26e17b713ac79a6eef69b6ccfcb331e0888
Instruction Fuzzy Hash: 4E016B322081401FD30A977D58253BE7FA7EFD151074841AFD442CB754CE689C4A83D5

Uniqueness

Uniqueness Score: -1.00%

Function 017C37F0 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

(oq, xrefs: 017C3820

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: 0c97bbdf94e985f21790d21a9af5cf88d90924894b6a4d52db4d31ac94adc134
Instruction ID: f6b7d572b6a4c886f1426c061435b21f80931d892deeb2e9b6db3789558cf3c6
Opcode Fuzzy Hash: 0c97bbdf94e985f21790d21a9af5cf88d90924894b6a4d52db4d31ac94adc134
Instruction Fuzzy Hash: 9BF059327081544BD7096B7E180047F7FEFEBC5220714822AEA05C33D0DE699C0643A1

Uniqueness

Uniqueness Score: -1.00%

Function 017C1058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb05e529c07804eda016a2155a3d788c54026c7bc6afbee5205b22b704ed56cb
Instruction ID: b9ca357396f011e006ac7d76911d74d441e4e33db29ffa0fa5fc5b54f13ba84a
Opcode Fuzzy Hash: eb05e529c07804eda016a2155a3d788c54026c7bc6afbee5205b22b704ed56cb
Instruction Fuzzy Hash: 0C82B574640209DFDB06DFA4D654B6E7F7BEB88301F104468E801337A8CA7EAD95DB26

Uniqueness

Uniqueness Score: -1.00%

Function 017CBB99 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59c2e2a1cd8b32ba6a0b03bdcad0adaada009c4f692689d46c778b8043f02a7
Instruction ID: da40f1425b8c01bc8c0258024194f462cc05fb6d348fbd8a0b2233fd5b1a67b6
Opcode Fuzzy Hash: b59c2e2a1cd8b32ba6a0b03bdcad0adaada009c4f692689d46c778b8043f02a7
Instruction Fuzzy Hash: 0081C570A01201CFC711EF28E68995ABBB6FB88706B55C67CD9159B229C778EC89DF40

Uniqueness

Uniqueness Score: -1.00%

Function 017C5A91 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185cba04c78745be64494c363ee6ed506e0202085e90d43fde4fad88811cb7d5
Instruction ID: 0837a317142d3c394458508cdf9e44a936276c3334ad50e488d6cfec596ea1e3
Opcode Fuzzy Hash: 185cba04c78745be64494c363ee6ed506e0202085e90d43fde4fad88811cb7d5
Instruction Fuzzy Hash: 41511775B002068FCB04DFACD594AAABBF5EF88710B5141ADE50ADB365DB35EC05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017C2850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b822136e19a17249a200f56249a641f482efbdd8afa989633d4611e26c3cb0a
Instruction ID: 331a72cd707e6350cb06c602313bfd3735134b17c335997aeb7191d2ab263927
Opcode Fuzzy Hash: 2b822136e19a17249a200f56249a641f482efbdd8afa989633d4611e26c3cb0a
Instruction Fuzzy Hash: 8D411674A10208DFDB18DFA9E984AEDBFB6FF88301F104529E905A7265DB389D85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 017C2842 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96575e2c4898b2484ade875fc4c15a1bd16472693010804d555d97eb1cc9247
Instruction ID: 4d02d92f67a8951df11b72d362981b32bdd2d007cf5bb8379d3051cdc0248493
Opcode Fuzzy Hash: a96575e2c4898b2484ade875fc4c15a1bd16472693010804d555d97eb1cc9247
Instruction Fuzzy Hash: AB314A70A10208DFDB18DFA9E9846EDBFB6FF88341F104529D901A7269EB399985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017C5308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5caf6bdc23f5a2391174d1164307a53fd66aebe9463595aea08ca677b06b012
Instruction ID: a7626046542631043b1bb25b993502467fe671493225ce7a4a912ea11da05a73
Opcode Fuzzy Hash: a5caf6bdc23f5a2391174d1164307a53fd66aebe9463595aea08ca677b06b012
Instruction Fuzzy Hash: 1041F974B01114DFCB04DF68E5949ADBBB7FF88711B20806DE906A7364DB39AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017C2C48 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f6ffb21dcf3fdfe7e03538937365d315928d90dbf78149f085f7db8fe9f65b
Instruction ID: bd3150e514a0c0069cfb2521d2229b06f857bac048e3d4eacea41665706c1fd9
Opcode Fuzzy Hash: 17f6ffb21dcf3fdfe7e03538937365d315928d90dbf78149f085f7db8fe9f65b
Instruction Fuzzy Hash: 0D41C3B490020ACFDB04DFA8D984AEEBFB9EB48311F104529E905B7364DB799D85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 017CB0A0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbcb6bf8eab977e9f0051bd90a5a252440edcc78b48d2fbaca8544f9139933ce
Instruction ID: 35824f26e7f3ccd1f10bf6f7e4ecda626d72ab1b2f3d4372621dd085b5977411
Opcode Fuzzy Hash: fbcb6bf8eab977e9f0051bd90a5a252440edcc78b48d2fbaca8544f9139933ce
Instruction Fuzzy Hash: 6031F4306102048FCB14DB78D9956ADFBF6FF86310F54852DD016AB3A5EF75AD098B90

Uniqueness

Uniqueness Score: -1.00%

Function 017C2C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f54c65799f997f0e5eb44122e9094db397a0ac063a32fd648f23045630de241
Instruction ID: 3194a2f414342ac4de176f6d8dd3c9c126f29893f502b7eb6d01ce1a69a16464
Opcode Fuzzy Hash: 9f54c65799f997f0e5eb44122e9094db397a0ac063a32fd648f23045630de241
Instruction Fuzzy Hash: 9B31B2B4A0020ACFCB04DFA8D584AEEBFB6FB48311F104529D905A7364DB79AD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 017C4B70 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41650f27ead301f71dfcd93407285bf896fc104e49774365eec7710a85392441
Instruction ID: 52a06eaf1f8f5d9e2c57b4d89536286161c359f4d715fde2e3fbedb5773ef190
Opcode Fuzzy Hash: 41650f27ead301f71dfcd93407285bf896fc104e49774365eec7710a85392441
Instruction Fuzzy Hash: 1C21C9312142055FC715EB7CDD90BAEBBA6FF80210B444939D0058B368DF74EC4D8794

Uniqueness

Uniqueness Score: -1.00%

Function 017C4B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ea9133ce3c14976b17b35bce14e0a1687aab1a76fda0e5d387464203afe9c4
Instruction ID: 134f8fe9d2be16a358f8b853970b1b3601ccd5f4e9e4aba61cb51f51c167b7be
Opcode Fuzzy Hash: c2ea9133ce3c14976b17b35bce14e0a1687aab1a76fda0e5d387464203afe9c4
Instruction Fuzzy Hash: DF2196302142065FCB14EB7DE981A6EBBA6FFC4210B448A39D4158B368DF74FD4D8B94

Uniqueness

Uniqueness Score: -1.00%

Function 017C5C41 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cebe643ec3ce5a95c606fdc2f44c36f698a8529b856e3246d03027aa958556
Instruction ID: 1d5994f9a385bd8decdf5bf28033dfa1232b35615a62dd73ac24b77f3a0ed8a1
Opcode Fuzzy Hash: 40cebe643ec3ce5a95c606fdc2f44c36f698a8529b856e3246d03027aa958556
Instruction Fuzzy Hash: 9721A131A042898FDB11CBA9C598ADDBFF1AF49310F1901AED441FB262DB35AD85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 017C5C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083231a2c8e9995d2d06505d89453b98f76ca0ce14d6856adbc5083f11d74a58
Instruction ID: 62e69810cae08832ba6d53d102b2b3b41a3e0dc5075d125bcfae0bc38bd0e4f8
Opcode Fuzzy Hash: 083231a2c8e9995d2d06505d89453b98f76ca0ce14d6856adbc5083f11d74a58
Instruction Fuzzy Hash: F0214D35B002198FDF10CBA9D598ADDBBF1AF4C710F2401A9E505BB361DB76AD84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 017C6888 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c678e4b58d862a8ff20d34f27c507eec2d68340b2db5fd6f95676eed839d8153
Instruction ID: d3fcc30d205db6eebc2b99dc5c787a6639155acd9425fd1d9ebf1fcf377b2285
Opcode Fuzzy Hash: c678e4b58d862a8ff20d34f27c507eec2d68340b2db5fd6f95676eed839d8153
Instruction Fuzzy Hash: 0C118E71E00246CFDB14DBA4CA987EEFBF2AF44704F14806EE106A7366DB758A05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 017C41A2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e429d21592bba043534e3ea8eb44ecf1128ff4bc26aa1137bca9a794976f7bf
Instruction ID: d39623ea04fb7ff75b332d37cccc2698971c593596b445af5d933eaffce4a955
Opcode Fuzzy Hash: 2e429d21592bba043534e3ea8eb44ecf1128ff4bc26aa1137bca9a794976f7bf
Instruction Fuzzy Hash: E601243130C2856FC70AAB7D9CA01AF3FBAEF861117A5009BE505D7386CE255C0A87A5

Uniqueness

Uniqueness Score: -1.00%

Function 017C32E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c94528d6aa36a95f42b21b838156d2b795386f287a53496ae0b8dac48c17f45
Instruction ID: f3698c4ed6ff86bbd3a1a0a024bab85ddd02ca5e16a672e08b6d5fbff801c77d
Opcode Fuzzy Hash: 2c94528d6aa36a95f42b21b838156d2b795386f287a53496ae0b8dac48c17f45
Instruction Fuzzy Hash: A0118B35A241048FCB08EFB8E45A7DEBFB6EB98301F004428E802A7385DF785851CB60

Uniqueness

Uniqueness Score: -1.00%

Function 017C5940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401eba5b437f0e2c8cf6f62151a84aad688a7dde89a356fd24afdab5f893a468
Instruction ID: 0b636371e495135734860a7f92fa2a29edf0e4dae6c3c81085851fd98e814435
Opcode Fuzzy Hash: 401eba5b437f0e2c8cf6f62151a84aad688a7dde89a356fd24afdab5f893a468
Instruction Fuzzy Hash: D20144767101108F8704DE7DF4988AEBBEAFBD9662350857EE605C7350CE35DC0597A0

Uniqueness

Uniqueness Score: -1.00%

Function 017C2A80 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44aa702bed11c8ab0b328177c3075356f9e20f763a873938fe127c47efb3085
Instruction ID: cd4dc0173c9125869d70505c89d133172f91eac3be4aad795368546d8371768c
Opcode Fuzzy Hash: f44aa702bed11c8ab0b328177c3075356f9e20f763a873938fe127c47efb3085
Instruction Fuzzy Hash: 140156B12102008FC710EB7CC504AABBBEAFB84614B108969D15ADB768DB79EC058BD0

Uniqueness

Uniqueness Score: -1.00%

Function 017C32F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879193d320307989ba01593ec980fcf8542dba6962179b2ab9ae3326356c0207
Instruction ID: 3f60feeafe9f3d95b5efc28f3e71ab9fc2110593fe5627eb55e79378dac51cd9
Opcode Fuzzy Hash: 879193d320307989ba01593ec980fcf8542dba6962179b2ab9ae3326356c0207
Instruction Fuzzy Hash: F301E935A242448FDB48EFB8E5597DEBFB6EB98301F004428E502A7385DF795855CB60

Uniqueness

Uniqueness Score: -1.00%

Function 017C6388 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096dd2fef9550032e7c78f9ac4596f5be0449b920c8523dba21d7ccefe837340
Instruction ID: da0901f417b4b82b533402f0b46439e55d3818780e2c43d1fd3e0e85adb8a69f
Opcode Fuzzy Hash: 096dd2fef9550032e7c78f9ac4596f5be0449b920c8523dba21d7ccefe837340
Instruction Fuzzy Hash: 81F0F6309182859FCB01DBBCD9514ADBFB1DF86210B5442EDD844AB292CA311E06EB41

Uniqueness

Uniqueness Score: -1.00%

Function 017C593E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8496b156b1576c242e1ef96b1d2e1761ce92c2d52db734c81c49b29170cb81a2
Instruction ID: 896feaa545c5d98e3de29115dea205d0fed698b29ffe37b7aed135be2c7e947a
Opcode Fuzzy Hash: 8496b156b1576c242e1ef96b1d2e1761ce92c2d52db734c81c49b29170cb81a2
Instruction Fuzzy Hash: A0F082B67101108F8705DF6DE4D89ADBBAAEFC9666314847EE509D7310CF35DC0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 017C5610 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93691798a30a0f5461d7c1972f5d79e72e2cf70e9674c36ac382da0ff8614d5
Instruction ID: bf1c00b3ebbc4d696f0b724eacc0d51dc783c2ccc0a9907e0a008a4f906fbe40
Opcode Fuzzy Hash: f93691798a30a0f5461d7c1972f5d79e72e2cf70e9674c36ac382da0ff8614d5
Instruction Fuzzy Hash: 70E0466160E7C01FC7471B6CADB62E43F72ED93A1872D04DA98C48B167E41698AB8741

Uniqueness

Uniqueness Score: -1.00%

Function 017C6398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008adff408151601750e919722c0a1432fc0f449e4e1b1df1855b482ce777835
Instruction ID: 9e5f395dd0216e35ce58e51f805b0d40b3fb776be6ea8b9843709928af4633aa
Opcode Fuzzy Hash: 008adff408151601750e919722c0a1432fc0f449e4e1b1df1855b482ce777835
Instruction Fuzzy Hash: 15F08C70E10209EFCF00EFBCD9819ADBBB5EB88300F5041A99808A7344DB305E48AB91

Uniqueness

Uniqueness Score: -1.00%

Function 017C2D92 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9cdd334f6f031a049ab78c7af0f57a964fb8c551043e19f496f92db523a2b36
Instruction ID: e5fe7597fce04db5dd71ce1f3cc9df1855c3549fded3b00692886c6554fc5779
Opcode Fuzzy Hash: b9cdd334f6f031a049ab78c7af0f57a964fb8c551043e19f496f92db523a2b36
Instruction Fuzzy Hash: 50F01C75E241188F8B94EFBCD415AE9BBF8EB48310B5180AAD919E7741EB748D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 017C1FF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e84a93eb37d30616825b6159a7f27d4aab12394a4c92dab9622d7753642e3dd
Instruction ID: 6e13780d15e77f924ef0beef50bc5f02091dc3c791bba0cbf177e2e2347ccd58
Opcode Fuzzy Hash: 5e84a93eb37d30616825b6159a7f27d4aab12394a4c92dab9622d7753642e3dd
Instruction Fuzzy Hash: D2E086763402005FCB0856BDD859ECA7BEDDBC5621B050466F506CB320DD79CC5287A0

Uniqueness

Uniqueness Score: -1.00%

Function 017C2DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7486ac0a5e62d88b8f81eaa27c3305c1bafef96e4a888e82a85b70d4ee67f00
Instruction ID: 3d1ec89246a6143b2d4c09732543912c4e5ace31e1362b9b716eb0268dd2ac99
Opcode Fuzzy Hash: a7486ac0a5e62d88b8f81eaa27c3305c1bafef96e4a888e82a85b70d4ee67f00
Instruction Fuzzy Hash: C7E0ED71F101188F8B84EFBCD5056DEBBF5EF48310B5140AAD619E7315EB709D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 017C37EE Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a0836df367685171d9d6ed7df0fe58954df82a2a8c26723652eb06178759c7
Instruction ID: 459f68b033d8fab4d6db316ee52fac0c057b40bad8eefa620cde279ae7b892a9
Opcode Fuzzy Hash: e5a0836df367685171d9d6ed7df0fe58954df82a2a8c26723652eb06178759c7
Instruction Fuzzy Hash: 85D02B7770010057CB1945AD6900AFA239FABC8222B08452AFA08C3250EEB58C010350

Uniqueness

Uniqueness Score: -1.00%

Function 017C66C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40534ab1a25ad0bf4f5c5e4b460d2eccad7fa63b631ab92f784080c3cf18930
Instruction ID: fc9034d44a3cb2bdf7fd6c5ec2371ed1e141e2aaa6a63d91c29679215c3f5559
Opcode Fuzzy Hash: c40534ab1a25ad0bf4f5c5e4b460d2eccad7fa63b631ab92f784080c3cf18930
Instruction Fuzzy Hash: 1AD0A7313281A14FC7C526BC34600ED6BE9CECB01135801F7F104DB312CE144C575751

Uniqueness

Uniqueness Score: -1.00%

Function 017C6478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4687e2f7706c8fb89944e8ce1865bdfe5a1519c0729659b1fcb3bac4d09fc0
Instruction ID: 9bbbbff511e8bd8677025e51b443e12bfa23a673b6e7060de723799c87019471
Opcode Fuzzy Hash: ca4687e2f7706c8fb89944e8ce1865bdfe5a1519c0729659b1fcb3bac4d09fc0
Instruction Fuzzy Hash: A4C012743802048F8608DB6CE080825B7EAEB8C71131040B9EA19CB33ACE30EC828A68

Uniqueness

Uniqueness Score: -1.00%

Function 017C5640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2558069647.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_17c0000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9d916df2a73ceb48be89c45843fabbe15d00df4d315ad425b345689fca1f9d
Instruction ID: e14309c3e3414b145bacb936620b19262ba0264e0a81a1ed9b24198534ed7130
Opcode Fuzzy Hash: 3e9d916df2a73ceb48be89c45843fabbe15d00df4d315ad425b345689fca1f9d
Instruction Fuzzy Hash: 25B02B302102095B9600095EBC098117F1DEB40B14340019CFD0C00101AD23E4200180

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Pinball.exePID: 3872, Parent PID: 3916COMMON

Executed Functions

Function 02D24F58 Relevance: 7.9, Strings: 6, Instructions: 386COMMON

Download Yara Rule

Strings

(oq, xrefs: 02D255CF
(oq, xrefs: 02D255A3
(oq, xrefs: 02D25056
(oq, xrefs: 02D25082
(oq, xrefs: 02D251CD
(oq, xrefs: 02D251F9

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq
API String ID: 0-3333285191
Opcode ID: 24da7ee675ba31a352029a3abeceb7053e80afe11371d55c9febdf42de4f0223
Instruction ID: f0229af0985f85ab21c2bc795e2ad8610b12eb10c1a82d4626c34c24173a8e59
Opcode Fuzzy Hash: 24da7ee675ba31a352029a3abeceb7053e80afe11371d55c9febdf42de4f0223
Instruction Fuzzy Hash: 4BE17074A002288FCB08DF69D554AAEBBF2FF98304F65C169D805A7394DB34AD46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02D22B10 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02D22B35

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 16800b6d5d4a3cfae2ae7d34cfe83db6f69f02b17db6fb68385d3451a6dc950f
Instruction ID: a2216fcabd1aa273d9ca772f819466d358b9861b31f6ef81b905e0dee0225604
Opcode Fuzzy Hash: 16800b6d5d4a3cfae2ae7d34cfe83db6f69f02b17db6fb68385d3451a6dc950f
Instruction Fuzzy Hash: 55313A347002158FDB0AAB36C554A5E33A6EB89A01B2181BDE10ACB3B9DF35DC038B94

Uniqueness

Uniqueness Score: -1.00%

Function 02D22B20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02D22B35

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 80ad1c02a35e42aa2e21454912af0888660011889438f23fefcc4467ea53528d
Instruction ID: 4abb969deb2b9bbbec8817831b925ebb11f374c7ce24764c0d3e422477ddb092
Opcode Fuzzy Hash: 80ad1c02a35e42aa2e21454912af0888660011889438f23fefcc4467ea53528d
Instruction Fuzzy Hash: 5831C9357012158FDB0AAB36D55495E33A6EB89A14B20917CE10A8B3B9DF35DC428B94

Uniqueness

Uniqueness Score: -1.00%

Function 02D24248 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

(oq, xrefs: 02D24295

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-3175707579
Opcode ID: 3adb6c6623f6a9188c2a0b26394c5125e26db018f4457957d34360932fe753ba
Instruction ID: b93fe4cddd625ce7681efe6f6f261b4a95639046fdc34aa920719eb16a5b9c0a
Opcode Fuzzy Hash: 3adb6c6623f6a9188c2a0b26394c5125e26db018f4457957d34360932fe753ba
Instruction Fuzzy Hash: 260168367191900FC306AB7A541422E7FA7EFE251035880AFC8458B399CE38AC4AC7C4

Uniqueness

Uniqueness Score: -1.00%

Function 02D2B0B0 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a326e00178c2800152c23ba757b3d397c92ccc5c093fd429dbce8fe0a4257e1
Instruction ID: 3be505e6300bed1d4ae39c221e79d248721bbbccacfd28cb1fdd0ffa69e81f8c
Opcode Fuzzy Hash: 2a326e00178c2800152c23ba757b3d397c92ccc5c093fd429dbce8fe0a4257e1
Instruction Fuzzy Hash: EB524C34A11320CFCB1AEF25D558A6D7BB2FB85309B64856AD40A8B3A9DF71EC45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02D25240 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7c4eabd6ffa55fc5dab183bcbf14479101b0eb0aa0b82539f4ef775415f0d3
Instruction ID: 820be6c780bdf7c4ccf3a47520caaf7e3a1d9fae557f9e03d51769f4b00118af
Opcode Fuzzy Hash: 0c7c4eabd6ffa55fc5dab183bcbf14479101b0eb0aa0b82539f4ef775415f0d3
Instruction Fuzzy Hash: E2513E34A00228DFCB18DFA5E584AADB7F6FF98319F548165E805A7364DB34AC45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D22850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc66f931e9c53051e35afe9d788bb99169a6f7a9fe71c4e1d9dcbb82ffbea89
Instruction ID: 022dc23168ec7d8280db25a470e50d5f773eec144f34fdbee133dad42c8105f3
Opcode Fuzzy Hash: ecc66f931e9c53051e35afe9d788bb99169a6f7a9fe71c4e1d9dcbb82ffbea89
Instruction Fuzzy Hash: B841F834A50218CFDB14DFB5D984A9EBBB6FF88304F104229E905AB368DF35A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02D25308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee710c17f5a9042e069e0363bd2cf886b1d5c031e33ac3519bd6f7300bf5f3c
Instruction ID: e6cfc5b9aa95784592757c9eb4615c4c7e6394dd3c09d253ccc950555533db3f
Opcode Fuzzy Hash: 7ee710c17f5a9042e069e0363bd2cf886b1d5c031e33ac3519bd6f7300bf5f3c
Instruction Fuzzy Hash: 8341F934A01228DFCB08EF65E5949ADBBB2FF98315F608165F805A7365DB34AC45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D22842 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dae631b58db4b3d4ceb7cb58862f4c93979047c1681322d04d96902f751d46c
Instruction ID: 55709c9f933d016e7e8531e0c88284b0b170b0711ebd53217547efaa71be9d28
Opcode Fuzzy Hash: 3dae631b58db4b3d4ceb7cb58862f4c93979047c1681322d04d96902f751d46c
Instruction Fuzzy Hash: 98312935A50218CFDB18DFA5D9846AEBBB2FF88304F104529E901AB268DF359849CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02D22C48 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5bbfcf4813d9844c5640742b912a94e87948daa8a31d45a29f25aa150d3b0c1
Instruction ID: ded7b2572d097f2294bda3c41a23864a7c39a9de2764b7154bfd378be01ed723
Opcode Fuzzy Hash: a5bbfcf4813d9844c5640742b912a94e87948daa8a31d45a29f25aa150d3b0c1
Instruction Fuzzy Hash: CC415E78900319CFCB04EFA5D5846EEBBB5FF48310F104625E505A7369EB34A995CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02D22C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c34a2a643334fa0e5a979d904402bbe40ae49a4a9d21715f97137c70f08eca
Instruction ID: 46b460ffa002ac77f0d62f2ba42a89f933eeddb0210700e543d1138774f777e4
Opcode Fuzzy Hash: b0c34a2a643334fa0e5a979d904402bbe40ae49a4a9d21715f97137c70f08eca
Instruction Fuzzy Hash: 49311A78900319CFCB08EFA5D5846EEBBB5FF48314F104225E905A7369DB35A994CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D24B50 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e95f659d099c6259efeeab1e271dd341ff31e5a2aeb8a79d6bf9f3b38b1bfc
Instruction ID: 8ee609d1166176afbf76eb8257d2c90d2c2bc089ba30a4c3677a86a9b3600d65
Opcode Fuzzy Hash: a3e95f659d099c6259efeeab1e271dd341ff31e5a2aeb8a79d6bf9f3b38b1bfc
Instruction Fuzzy Hash: 1621B5712253015FC705EB79D950A5EBBA6FF90200B048A3AD0058B3B9DF70FD498B90

Uniqueness

Uniqueness Score: -1.00%

Function 02D2288D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44225840dd71f84599fb03c8b88e9d253be02d5aa44c8cfa3a2ba270c3f5c87a
Instruction ID: 98ad5d77e5258f80936431770b6d25df343698cc823f9a0f5932af6968550af4
Opcode Fuzzy Hash: 44225840dd71f84599fb03c8b88e9d253be02d5aa44c8cfa3a2ba270c3f5c87a
Instruction Fuzzy Hash: FD31E934A50218DFDB18DFB5E9846ADBBB6FF88344F144129E805A7368DF35A885CF20

Uniqueness

Uniqueness Score: -1.00%

Function 02D24B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e29ae7aad596b036c4174d390682a79fd59203a25eda48a63411ba83d1fff11
Instruction ID: 4b30d1a7cf8a5c74b6484bc67bb862ba344d4e274bae06ddf115691341727f5c
Opcode Fuzzy Hash: 0e29ae7aad596b036c4174d390682a79fd59203a25eda48a63411ba83d1fff11
Instruction Fuzzy Hash: F92196312212065FC715EB7AE980A5EBBA6FFC0210B448A39D4158B37CDF70BD498B94

Uniqueness

Uniqueness Score: -1.00%

Function 02D22908 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280b1b265f6edd0b34f7bea8e95233cd83b09231127fb07454df3ebf0ff3f689
Instruction ID: fd7b7fda50e69a077ec2e7c570160b8401cc0fee860edd83b61f153b0553c83a
Opcode Fuzzy Hash: 280b1b265f6edd0b34f7bea8e95233cd83b09231127fb07454df3ebf0ff3f689
Instruction Fuzzy Hash: 5221FC34D50218DFDB14DFA9D984AEDBBB6FF88344F108229E91567368DB349845CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02D26888 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbcc5e73da8de8304c23e5bce61de7417ed428122b5110c66837153dd5cf796
Instruction ID: 0d5a738b1407d8d410a86cc00deb9d0e86aaf392cd0d0e9737d7fca3e2613350
Opcode Fuzzy Hash: dfbcc5e73da8de8304c23e5bce61de7417ed428122b5110c66837153dd5cf796
Instruction Fuzzy Hash: 23116071900229CFDB14DF64CA087AEBBF9EF45308F108469D405B7255DB75DD09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D2296A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ab71ab1c8eb108df9e469252762387c32c228ef6ed50a455f6c2437a643259
Instruction ID: 5f05d52162de9a16e506b23528b52ba75954ecad8f055867902656740521cfed
Opcode Fuzzy Hash: 67ab71ab1c8eb108df9e469252762387c32c228ef6ed50a455f6c2437a643259
Instruction Fuzzy Hash: C721D834940218DFDF14DFA9DA84A9DBBB6FF88304F104229E905A7368DB30AD55CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02D241A2 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9645dd60c4f877094c54acfb11e659b1358a70cb94d77389e79713ac830ee426
Instruction ID: 0bf7ede041de73f491892a7c8d78cc33fcba36bc519be5d699ed270462d75350
Opcode Fuzzy Hash: 9645dd60c4f877094c54acfb11e659b1358a70cb94d77389e79713ac830ee426
Instruction Fuzzy Hash: BB0197B231A2804FC306ABB25C6016F2FABEF8601135844ABD005DB38ACE355C0A8765

Uniqueness

Uniqueness Score: -1.00%

Function 02D232E0 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8c547a0330748c24ceff41d7766d8b3a3a3266f98173cb007d9dae186c23d9
Instruction ID: 3c7337d1626036eadf3fea41cbe4704e8351921c9ee2d0f0d27a729be01354f1
Opcode Fuzzy Hash: ef8c547a0330748c24ceff41d7766d8b3a3a3266f98173cb007d9dae186c23d9
Instruction Fuzzy Hash: 03111239A212448BDB48EBB4E55979E7FB6EB9C305F4044A9F8029B341DF75A809CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02D22A80 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f02bc29a5400f6dbd600e391ac70897784badd0e46470d6499e598d947e36f
Instruction ID: c68184d8101f3195684138097e04067559a015564f800b9502602bf67fd2cb21
Opcode Fuzzy Hash: 03f02bc29a5400f6dbd600e391ac70897784badd0e46470d6499e598d947e36f
Instruction Fuzzy Hash: 740178B56106008FC321AF79C50888BBBE5FB91614721896ED15ADB3A8EF35EC048FC0

Uniqueness

Uniqueness Score: -1.00%

Function 02D232F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138e23cb5714169bede480c162c38c5eaef38bcdcdd06be29af6d69ce2fbafee
Instruction ID: d88f71cb4575dbc0051b91c6ec357b914907b40e14cd80437508754fcedd442c
Opcode Fuzzy Hash: 138e23cb5714169bede480c162c38c5eaef38bcdcdd06be29af6d69ce2fbafee
Instruction Fuzzy Hash: 2D012139A212488BCB04EBB4E4597AE7FB6EB88305F404469F4029B341DF756805CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02D22A90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa920e3b2cbffc5e3e36b9d588ac947351b24aff0266877fa0a68e09aaebc552
Instruction ID: b5ed880926cc29edf6349d4c76e6e2886a7b6c230b988316ad6e920852848dae
Opcode Fuzzy Hash: aa920e3b2cbffc5e3e36b9d588ac947351b24aff0266877fa0a68e09aaebc552
Instruction Fuzzy Hash: 01F04B716106008FC321AF79C50888BBBE5FB94614710896AD15ADF3A8DF35EC048FC0

Uniqueness

Uniqueness Score: -1.00%

Function 02D26388 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5d129b967cea9fb1ff0a21dec5eb12774650ea15837c3ab3706bc9411230b0
Instruction ID: 7e6291a26336b175fb198ea6b77d54fd35ab7d739955640c00a25a91424824da
Opcode Fuzzy Hash: 5c5d129b967cea9fb1ff0a21dec5eb12774650ea15837c3ab3706bc9411230b0
Instruction Fuzzy Hash: 34F0B478D01209BFCB40EFB4D98169DBBF1EB68200F6085699808EB354DA306E459B51

Uniqueness

Uniqueness Score: -1.00%

Function 02D241E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2294f2560ebe5b7f7d442d1f9a1b650e3819e97ec23ae3a15578991d13c670
Instruction ID: 1ea10de6e0d2797e62546554ba6465740fc3e75b88ee4e63beb003653a94a0ef
Opcode Fuzzy Hash: bf2294f2560ebe5b7f7d442d1f9a1b650e3819e97ec23ae3a15578991d13c670
Instruction Fuzzy Hash: CDE0E5753261056F9704EBA7689096F6F9EFBC8560794443EE409D7398CE313C014BB4

Uniqueness

Uniqueness Score: -1.00%

Function 02D24237 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834e5020247c9f6219df1c29967ec0ba60ac92daf0c9e6ebf2381878e637e39c
Instruction ID: 0c4ad80ba8c3d8ebde7e9ac2580760bd9309323b6b79b47ef5e078a08f85d630
Opcode Fuzzy Hash: 834e5020247c9f6219df1c29967ec0ba60ac92daf0c9e6ebf2381878e637e39c
Instruction Fuzzy Hash: A2E0E5762201000BC305DAB9AA50B6F6747EFD0611F59593AD8018BB98DF78AC468BD4

Uniqueness

Uniqueness Score: -1.00%

Function 02D26398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c27a895c2483175a4dc82aaf8c2aeebc352d82e2e7267c0362409a03c1c73d
Instruction ID: b04589618d2837249787f9e3eb67cee320c33a95d0119ba906f19837d1547ebb
Opcode Fuzzy Hash: a4c27a895c2483175a4dc82aaf8c2aeebc352d82e2e7267c0362409a03c1c73d
Instruction Fuzzy Hash: B6F08274A11209AF8B40EFA9D94056DBBF5EB94200F5085A99808A7354DA306E449B51

Uniqueness

Uniqueness Score: -1.00%

Function 02D22D92 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: decfd6af498a8db1d6da5b53bb7952a4282b94d61f82f6f236730c410d39591e
Instruction ID: fe16741463b2f6ba77a151fece3401fcd2efa358060c8e13668fdd4679e2c444
Opcode Fuzzy Hash: decfd6af498a8db1d6da5b53bb7952a4282b94d61f82f6f236730c410d39591e
Instruction Fuzzy Hash: 26F08C76E24018CF8B40EFB894046DEBBF0EF48210B1140AAD909E7310EA708E018B91

Uniqueness

Uniqueness Score: -1.00%

Function 02D22DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c14ce4ca5e611e88b27297f5ec87d8fc608425843e707e8207324a398122150
Instruction ID: 3bd59641503c16010f44122af3815d097fde78ac9673440dbc8c5e49c46e29e8
Opcode Fuzzy Hash: 4c14ce4ca5e611e88b27297f5ec87d8fc608425843e707e8207324a398122150
Instruction Fuzzy Hash: CFE06571E101188F8B84EFBDC4046DEBBF8EF48310B2140BAE609E7310EB709E008B92

Uniqueness

Uniqueness Score: -1.00%

Function 02D22008 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4c66642607c8c06ea36b47ac07400146097b72da2d1334b2d3025ddb650c14a
Instruction ID: c8d6ebac3516ea6a8eecca14815c37a42911dce681e2cf182d892c2a40bf1eec
Opcode Fuzzy Hash: b4c66642607c8c06ea36b47ac07400146097b72da2d1334b2d3025ddb650c14a
Instruction Fuzzy Hash: 61D05B357102144FCB145B7DD41D85ABBDDDFC9621301047AF506C7320DD71DC018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D266C8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8a99052cb88025a36b9b71ad49b21995a71b47e10d9be852a0044f84aa6a7c
Instruction ID: 4e13d1810bf8b98846fea312bf91e8abc55638a65c1fafa67f9cc38ec244d748
Opcode Fuzzy Hash: fc8a99052cb88025a36b9b71ad49b21995a71b47e10d9be852a0044f84aa6a7c
Instruction Fuzzy Hash: E1D0A92632103187C201666DB8823D9A6EEE7C8B21B49483BF105EB348CE759C02A782

Uniqueness

Uniqueness Score: -1.00%

Function 02D26469 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecb80a221d378250192ca479c23755fa8a86856e9ea71761e0c6ae96289122d
Instruction ID: 83cdfefeecf2fd19fc72f8339c70cfe0c1daf216aa9ae7be467a51a05d16160f
Opcode Fuzzy Hash: 1ecb80a221d378250192ca479c23755fa8a86856e9ea71761e0c6ae96289122d
Instruction Fuzzy Hash: 5AD05E793443244FC304AB28E592911B7F6AB8971071004B5E509CB37AC920FC428A19

Uniqueness

Uniqueness Score: -1.00%

Function 02D26478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2880791351.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_2d20000_Pinball.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7ecbfde92c6809f13df8b436b4dddce1925e4249bf8d0b415f7371b86f9f75
Instruction ID: 74e30ad5a778d3286d40758dc83cd07b57e850e9be0a4d9fb5a3e2d0a299c21e
Opcode Fuzzy Hash: 2e7ecbfde92c6809f13df8b436b4dddce1925e4249bf8d0b415f7371b86f9f75
Instruction Fuzzy Hash: A1C012783403144F8208EB5CE080825B3EAAB8C71031001A4E91DC7339CD30FC818A18

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\CEF\User Data\4684d7f9-6219-4dd2-875d-c6030fcb92af.tmp

C:\Users\user\AppData\Local\CEF\User Data\LocalPrefs.json (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat

C:\Users\user\AppData\Local\Temp\nscA9C6.tmp\liteFirewall.dll

C:\Users\user\AppData\Local\Temp\nsv27F2.tmp

C:\Users\user\AppData\Local\Temp\nswC34D.tmp

C:\Users\user\AppData\Local\Temp\nswC34E.tmp\INetC.dll

C:\Users\user\AppData\Local\Temp\nswC34E.tmp\blowfish.dll

C:\Users\user\AppData\Local\Temp\nswC34E.tmp\nsProcess.dll

C:\Users\user\AppData\Local\Temp\setup.exe

C:\Users\user\AppData\Roaming\Pinball\DawnCache\data_0

C:\Users\user\AppData\Roaming\Pinball\DawnCache\data_1

C:\Users\user\AppData\Roaming\Pinball\DawnCache\data_2

C:\Users\user\AppData\Roaming\Pinball\DawnCache\data_3

C:\Users\user\AppData\Roaming\Pinball\DawnCache\index

C:\Users\user\AppData\Roaming\Pinball\Del.exe

C:\Users\user\AppData\Roaming\Pinball\GPUCache\data_0

C:\Users\user\AppData\Roaming\Pinball\GPUCache\data_1

Windows Analysis Report
SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre