Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZXQ3AcEN5Q.exe

Overview

General Information

Sample name:ZXQ3AcEN5Q.exe
renamed because original name is a hash value
Original sample name:8ceb54209abb88fbc1c17fcb1035fb49.exe
Analysis ID:1445843
MD5:8ceb54209abb88fbc1c17fcb1035fb49
SHA1:f255dbe63698aa8d1dbfca2da9a794bf42556312
SHA256:3737e4e4ffbcc654013a2d52e25fb67092b36c5b80fb9b7e3a1b12ae0560d604
Tags:exe
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • ZXQ3AcEN5Q.exe (PID: 6788 cmdline: "C:\Users\user\Desktop\ZXQ3AcEN5Q.exe" MD5: 8CEB54209ABB88FBC1C17FCB1035FB49)
    • setup.exe (PID: 5588 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: E4C96146FC1754DC1B99E96E0D7AEF91)
      • Pinball.exe (PID: 3664 cmdline: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe MD5: 4B690D1CA31A2224A761AD9D8690C94D)
        • Pinball.exe (PID: 7004 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=2976 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: 4B690D1CA31A2224A761AD9D8690C94D)
        • Pinball.exe (PID: 5176 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3552 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 4B690D1CA31A2224A761AD9D8690C94D)
        • Pinball.exe (PID: 1868 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3604 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 4B690D1CA31A2224A761AD9D8690C94D)
        • Pinball.exe (PID: 1560 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193665001 --mojo-platform-channel-handle=3208 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 4B690D1CA31A2224A761AD9D8690C94D)
        • Pinball.exe (PID: 3208 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193778155 --mojo-platform-channel-handle=3812 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 4B690D1CA31A2224A761AD9D8690C94D)
  • Pinball.exe (PID: 6504 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 1364 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 3236 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 1020 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 3628 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 5388 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 4840 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 5160 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 3332 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 4688 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 5932 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 3344 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 3856 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 1380 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 5936 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 736 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 2216 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 5708 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 6412 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 5744 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
      • Pinball.exe (PID: 5652 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 4296 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 4812 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 5848 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 6672 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 352 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 4676 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
    • Pinball.exe (PID: 5688 cmdline: "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" MD5: 4B690D1CA31A2224A761AD9D8690C94D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 5588, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pinball

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: ZXQ3AcEN5Q.exeAvira: detected
Antivirus detection for URL or domain
Source: https://taujoore.com/js/_each-land-config.e2fae13c.jsAvira URL Cloud: Label: phishing
Source: https://taujoore.com/js/config/comments/en-sweep.jsonAvira URL Cloud: Label: phishing
Source: https://taujoore.com/js/config/dict/cookie-consent-1.json?v=10Avira URL Cloud: Label: phishing
Source: https://taujoore.com/js/_core-survey.1b09882a.jsAvira URL Cloud: Label: phishing
Source: https://taujoore.com/css/sweeps-survey.f5ae42b0.cssAvira URL Cloud: Label: phishing
Source: https://taujoore.com/pfe/current/stattag.jsAvira URL Cloud: Label: phishing
Source: http://zhngxie.wf/22_2/huge.datAvira URL Cloud: Label: phishing
Source: https://taujoore.com/css/_core-survey.d3ac2ee0.cssAvira URL Cloud: Label: phishing
Source: http://zhngxie.wf/22_2/huge.datxo&lAvira URL Cloud: Label: phishing
Source: https://taujoore.com/js/v-redux-toolkit.esm.js.fe3487ca.jsAvira URL Cloud: Label: phishing
Source: https://taujoore.com/img/comments/person-sweep-1.webpAvira URL Cloud: Label: phishing
Source: https://taujoore.com/img/comments/person-sweep-7.webpAvira URL Cloud: Label: phishing
Source: https://taujoore.com/img/sweep/tokens10k.pngAvira URL Cloud: Label: phishing
Source: https://taujoore.com/img/comments/person-sweep-6.webpAvira URL Cloud: Label: phishing
Source: https://taujoore.com/sweeps-survey.html?offer_id=2755&geo=US&oaid=8c07f0967c0458754456ed3919b9d5f6&sAvira URL Cloud: Label: malware
Source: https://taujoore.com/js/s-checkLocalStorageAvailable.ts.f2fef93d.jsAvira URL Cloud: Label: phishing
Source: https://taujoore.com/js/v-react-dom.production.min.js.c3329619.jsAvira URL Cloud: Label: phishing
Source: https://taujoore.com/js/s-checkSessionStorageAvailable.ts.e8412d91.jsAvira URL Cloud: Label: phishing
Source: https://taujoore.com/js/sweeps-survey.724f05c4.jsAvira URL Cloud: Label: phishing
Source: https://taujoore.com/img/comments/person-sweep-4.webpAvira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].datAvira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeAvira: detection malicious, Label: HEUR/AGEN.1352426
Multi AV Scanner detection for submitted file
Source: ZXQ3AcEN5Q.exeReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Pinball\Del.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeJoe Sandbox ML: detected
Source: ZXQ3AcEN5Q.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PinballJump to behavior
Source: ZXQ3AcEN5Q.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\vk_swiftshader.dll.pdb source: vk_swiftshader.dll.4.dr
Source: Binary string: libEGL.dll.pdb source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: Pinball.exe, Pinball.exe, 00000009.00000002.3323466741.0000000005059000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\Pinball\obj\Release\Pinball.pdb source: Pinball.exe, 00000005.00000000.3187601886.0000000000FE2000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: Pinball.exe, 00000009.00000002.3323466741.0000000005059000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: Pinball.exe, 0000000B.00000002.3319682960.0000000004A32000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\Pinball\Pinball.exeirewall.dlll.pdbC:\Users\user\AppData\Roaming\Pinball\Uninstall.exenballdll source: setup.exe, 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: Pinball.exe, Pinball.exe, 0000000B.00000002.3319682960.0000000004A32000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000004.00000002.3299690784.00000000005A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000004.00000002.3299690784.00000000005A7000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeDirectory queried: number of queries: 1229
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_00405B6F CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405B6F
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_00406724 FindFirstFileA,FindClose,0_2_00406724
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_004027AA FindFirstFileA,0_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 4_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,4_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 4_2_004066FF FindFirstFileA,FindClose,4_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 4_2_004027AA FindFirstFileA,4_2_004027AA
Source: Joe Sandbox ViewIP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox ViewIP Address: 139.45.197.237 139.45.197.237
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bageyou.xyz
Source: cef_extensions.pak.4.dr, cef.pak.4.drString found in binary or memory: http://crbug.com/275944
Source: cef_extensions.pak.4.drString found in binary or memory: http://crbug.com/378067
Source: cef_extensions.pak.4.drString found in binary or memory: http://crbug.com/437891.
Source: cef_extensions.pak.4.drString found in binary or memory: http://crbug.com/456214
Source: cef.pak.4.drString found in binary or memory: http://crbug.com/497301
Source: cef_extensions.pak.4.drString found in binary or memory: http://crbug.com/510270
Source: cef.pak.4.drString found in binary or memory: http://crbug.com/514696
Source: cef_extensions.pak.4.drString found in binary or memory: http://crbug.com/642141
Source: cef_extensions.pak.4.drString found in binary or memory: http://crbug.com/672186).
Source: cef.pak.4.drString found in binary or memory: http://crbug.com/717501
Source: cef.pak.4.drString found in binary or memory: http://crbug.com/775961
Source: cef_extensions.pak.4.drString found in binary or memory: http://crbug.com/819404
Source: cef.pak.4.drString found in binary or memory: http://crbug.com/839189
Source: cef_extensions.pak.4.drString found in binary or memory: http://crbug.com/932466
Source: cef_extensions.pak.4.drString found in binary or memory: http://crbug.com/957772
Source: Pinball.exeString found in binary or memory: http://logging.apache.org/log4ne
Source: Pinball.exe, 0000000B.00000002.3319682960.0000000004A32000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: setup.exe, setup.exe, 00000004.00000003.3187681464.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000000.2932520545.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmp, ZXQ3AcEN5Q.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ZXQ3AcEN5Q.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Pinball.exe, Pinball.exe, 0000000B.00000002.3319682960.0000000004A32000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.apache.org/).
Source: Pinball.exe, Pinball.exe, 0000000B.00000002.3319682960.0000000004A32000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.apache.org/licenses/
Source: Pinball.exeString found in binary or memory: http://www.apache.org/licenses/LICEN
Source: Pinball.exe, 0000000B.00000002.3319682960.0000000004A32000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Pinball.exe, 0000000B.00000002.3379342521.00000000056A8000.00000002.00000001.00040000.0000001E.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
Source: ZXQ3AcEN5Q.exe, 00000000.00000003.3304493544.00000000006A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zhngxie.wf/22_2/huge.dat
Source: ZXQ3AcEN5Q.exe, 00000000.00000002.3306832629.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, ZXQ3AcEN5Q.exe, 00000000.00000003.3304493544.00000000006A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zhngxie.wf/22_2/huge.datxo&l
Source: cef.pak.4.drString found in binary or memory: https://accounts.google.com/
Source: devtools_resources.pak.4.drString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: cef.pak.4.drString found in binary or memory: https://chrome.google.com/webstore
Source: cef.pak.4.drString found in binary or memory: https://chrome.google.com/webstore/
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: bg.pak.4.drString found in binary or memory: https://chrome.google.com/webstore?hl=bg&category=theme81https://myactivity.google.com/myactivity/?u
Source: bg.pak.4.drString found in binary or memory: https://chrome.google.com/webstore?hl=bgCtrl$1
Source: el.pak.4.drString found in binary or memory: https://chrome.google.com/webstore?hl=el&category=theme81https://myactivity.google.com/myactivity/?u
Source: el.pak.4.drString found in binary or memory: https://chrome.google.com/webstore?hl=elCtrl$1
Source: Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: es.pak.4.drString found in binary or memory: https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?u
Source: es.pak.4.drString found in binary or memory: https://chrome.google.com/webstore?hl=esCtrl$1
Source: lt.pak.4.drString found in binary or memory: https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?u
Source: lt.pak.4.drString found in binary or memory: https://chrome.google.com/webstore?hl=ltCtrl$1
Source: th.pak.4.drString found in binary or memory: https://chrome.google.com/webstore?hl=th&category=theme81https://myactivity.google.com/myactivity/?u
Source: th.pak.4.drString found in binary or memory: https://chrome.google.com/webstore?hl=thCtrl$1
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, uk.pak.4.drString found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, uk.pak.4.drString found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: cef.pak.4.drString found in binary or memory: https://codereview.chromium.org/25305002).
Source: devtools_resources.pak.4.drString found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
Source: devtools_resources.pak.4.drString found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: devtools_resources.pak.4.drString found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://myactivity.google.com/
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, bg.pak.4.drString found in binary or memory: https://passwords.google.com
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://passwords.google.comGoogle
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comT
Source: es.pak.4.drString found in binary or memory: https://passwords.google.comcuenta
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://policies.google.com/
Source: devtools_resources.pak.4.drString found in binary or memory: https://raw.githubusercontent.com/rust-lang/rust/
Source: cef.pak.4.drString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, bg.pak.4.drString found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: es.pak.4.drString found in binary or memory: https://support.google.com/chrome/answer/6098869?hl=es
Source: cef.pak.4.drString found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drString found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: Pinball.exe, Pinball.exe, 0000000B.00000002.3320055780.0000000004A76000.00000002.00000001.01000000.0000000C.sdmp, Pinball.exe, 0000000B.00000002.3319682960.0000000004A32000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/css/SweepHeader.8e7220ee.css
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/css/_core-survey.d3ac2ee0.css
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/css/sweeps-survey.f5ae42b0.css
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/img/comments/person-sweep-1.webp
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/img/comments/person-sweep-2.webp
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/img/comments/person-sweep-3.webp
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/img/comments/person-sweep-4.webp
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/img/comments/person-sweep-5.webp
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/img/comments/person-sweep-6.webp
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/img/comments/person-sweep-7.webp
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/img/sweep/tokens10k.png
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/_core-survey.1b09882a.js
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/_each-land-config.e2fae13c.js
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/_rtc.f86a36d7.js
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/config/comments/en-sweep.json
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/config/dict/cookie-consent-1.json?v=10
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/config/sd/sd-2755-en.js?v=10
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/s-checkLocalStorageAvailable.ts.f2fef93d.js
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/s-checkSessionStorageAvailable.ts.e8412d91.js
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/s-storageService.js.bb9f7a22.js
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/sweeps-survey.724f05c4.js
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/v-index.js.da9f7529.js
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/v-react-dom.production.min.js.c3329619.js
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/js/v-redux-toolkit.esm.js.fe3487ca.js
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/pfe/current/micro.tag.min.js?z=6163354&sw=/sw/sw6163354.js&var=6045488&var_3=81
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/pfe/current/stattag.js
Source: Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmp, Pinball.exe, 0000000B.00000002.3306302613.00000000004FA000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://taujoore.com/sweeps-survey.html?offer_id=2755&geo=US&oaid=8c07f0967c0458754456ed3919b9d5f6&s
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: devtools_resources.pak.4.drString found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: cef.pak.4.drString found in binary or memory: https://www.google.com/
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, el.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, bg.pak.4.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: es.pak.4.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionado
Source: Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: lt.pak.4.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlP&agalbaTvarko
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
Source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
Source: cef.pak.4.drString found in binary or memory: https://www.google.com/cloudprint
Source: cef.pak.4.drString found in binary or memory: https://www.google.com/cloudprint/enable_chrome_connector
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_0040560C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040560C
Source: Pinball.exeProcess created: 65
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,0_2_100010D0
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F1
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 4_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_004034CC
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_004073D50_2_004073D5
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_00406BFE0_2_00406BFE
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 4_2_00406A884_2_00406A88
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 7_2_01434F587_2_01434F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 7_2_014310497_2_01431049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 8_2_01244F588_2_01244F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 8_2_012438608_2_01243860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 8_2_012410498_2_01241049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 9_2_00B54F589_2_00B54F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 9_2_00B538609_2_00B53860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 10_2_028B4F5810_2_028B4F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 11_2_00964F5811_2_00964F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 11_2_0096F66011_2_0096F660
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 11_2_0096386011_2_00963860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 17_2_02A5386017_2_02A53860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 17_2_02A54F5817_2_02A54F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 23_2_00F1386023_2_00F13860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 23_2_00F14F5823_2_00F14F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 23_2_00F1104923_2_00F11049
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 36_2_00B34F5836_2_00B34F58
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 36_2_00B3386036_2_00B33860
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 36_2_00B3104936_2_00B31049
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat 5D26110245F9E7A33A73CC6B005D92EC7CF077880831428084C72A0BBB7A359F
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsd452B.tmp\blowfish.dll 053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
Source: ZXQ3AcEN5Q.exe, 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameinetc.dllF vs ZXQ3AcEN5Q.exe
Source: ZXQ3AcEN5Q.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Ionic.Zip.dll.4.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.4.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.4.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: Pinball.exe.4.dr, Program.csBase64 encoded string: 'uP9e4aCxUYMusKYh8k62Q/T+HXTpYB3Pg32Y234M7mN/xEfC3Q4pBCf7zfDRBlgI', 'vZ2sjgEwxoBRJr03fuOcte7qleGWYAEtdg5rmAg/nnZvWSvdlEdF1KwSMK28rx+nF+1sFM5Z2fiCUp1NqFgn1w==', 'H2yGdAIYjXefl0vvHPrOH2tXB7CqIsIR4g5UgkvUVm91fDlAzrOWDtKdz4ImhMLBs7NtpgmGNWPlk3Gj31eS6X/4Vie8kAU5w91zOLG+NT1+9Z1s8RJEcAKub9BwGwU29tv509I86+r7uHy/dhwwTnvismP6U26IiAkYq2vvVkqmmVV5gNkH6ofHfNUSPQw1Egt93fl2UJJSZ7CwNPpNWOvT6FGwupvJerlgSFTgWw4qz7J4J1w7YYxzYe4QDIMjbMHJqUVh+f9ZnrWHSHUjXbuJ+cOyVuE4E7F10z0FlRzxxZzBZN6b5TnCpeFYyHOTQ6dUGGrqXWCRn82mEJIqpZZDFGLbipMa/COLsg6Q/qjpd+ZRPYCgCXCUhgt8mfVshLEDjdLC8NnkrQugUC+yPJQcxpWizXFl3e14042dPYd9GGva20e3UCJCS6FgFmafI3AQuWNclATWmZ0TKrN9dTCVMkkNGhhE5Uy7pq2RH3N2UhPdGIWscf6iua65MqiHYo54iAfgnVSO2NmcgvaeCfWYZWRnI6i60gWUSO9GLMoCe+rUcg/6lkwSXpQyEPzsJdab6RYHhx2J9jQDysL/iXDrOd4sZ7mCClBGYhtZ0JzHYUs+doYBCDhCpMQVVsvulm9BCe/+T29hgU8wKYHcNYQL6SCq938F4UVfE43lK7xcTmePA57Cg47N0ALcPED4MrxuU5m0XkXYAoPeaQkkj0GLZhtQmGri3er1AwR2O7WHp1n4c1uzjMa1rnXH5kIKcKUrJL3vET0PwZQbSGCF9ZaNJG0cnUVUI+YQF6ehGYI21y0ozizrRmyyxV9NR9jC', 'h1xN9c1DJorFzlaAf1/p+NJ9vRJIWW+/L2aeJ3G2ifQYMKWhMq0eteIhNM8LCBGuRlbjkOkiZQ8Pt/O/A6hL6vSSFtvhnBQf8dGF5ciVTGsg11+5itgX+O1xPEIRtIuxB0B0mRw+bCVA/i9lN/grvTOCVAe9kfRMVgvfjrMzstauvzTjxT4pGA2C/dO59iLGngTPvb38sGZosbR0syHSnhazdC2GtENiOlUi8mWgoTPbgtfe2QKj7knFdxbTeEkNy5/a1dgzv3drWL4GNjvxz5UNMvFr1fRpKA9lmGQlM4Id31otVs3kjrCzBcciqk8HKB+pgNM7SyFSZ90Qi2y8rqSCyMsJCN+7m0KbrFYDhpG+bBzygj12dYOo0WRj8ieBW4J/nDmx+gpz+5mvV8+xvvW0xxlFRWRNRv8iTIRlKXspCOWMWjZstvx5g+GElMWNBlWiqhIEY/pAbyJdFw79NoSa6qMxCPEqNr/dDORTkZUkfmuT+Q6OB8+hOOmIS+TOSD0HsZ37rMcXSYmA2diitk5TMxt4wBMOm/SNGNbH1lZs69Yv7KqPktU/odP7Y4u2DUsChruBoJ/pXb4dExvFlPJ1ubhXgUctE4flOwPSmO0kZlWd/Sh8xwrHjGhcptlu4WnNuazGPZl2ggL6wk0yi8EwgzNVp5KuePOnnVD20i8=', 'NemRR74GuFeBX0Pah/zNQrr81uIQ2SD4nraaNe/xrhwcjBHTB6dDOIwlkz1eULfXyfd5QxTzdGqmg16UQT8FSovhIsT7fzFDeo/+8Yx05SvuHqZGuQxrVTNvxjWlma0uhohZijLx0+kkmV+OMcdoowE9RyoZCgmnjiI3zelyhcvpBv68f0MgGjNKFTFjesM/QUCFAkM5UfffdksHdbrfVixRqSVjdvxJpp6FP63VTQJFyfiGIUjL4b3m4UXwrC/HDLb1QkgV0gtzMaFHsDrJstOFrilOeqToALq5csKK2Ut7ilLFcauQMnwW3xU3KJT5ApWAjRS20PgULyitNBfMag==', 'ONtlIxhmz5D6fTTHNQiOJJ6jNvogcTHMSooY6BrXHuG0tsBU/PH6QISm3FcjchVqGlvoMCJjYNLlrs6mKgDEGNhumKLC7D0KgmZskoOtAA4=', 'LxQYGDU7CrApX5/lXWKLAC+znMxafMQfgWBm2HMkoOM3O3olzS8OfjAhzS3B//ER', 'MrcvnrkW9rD7KnYTIRYymrSzDu5DPEUBESh9CQ5DyStWNMuG9KY6EAvxVZMm5knA', 'NemRR74GuFeBX0Pah/zNQgY8VGVkaUwWodVE9ywUzhHg2E+srdmUmq2wQ4A+438L7sFwuz9iZ6CCm50nH/Afya5wSHBJx2fLHsIDDIetlRA=', 'xRiAYh+SvD3HU3hikyX6iz37VVR2dm92R87SrRN8+WkoqhhVRSXXKIvnBdC4W0Lb', 'gMAgz624LN00oRTu8lt4SWGPLL5NW5dSYrWTFZ1V4Be8CTaBiZnUpwOZ2rgeDyy0', 'WDYlRZoZRy5mnqtBAImZ+2rrZBJOqX6bHhJw7ZHDMXdDOn5HGr/fJEOEl2YeTXnG', 'NemRR74GuFeBX0Pah/zNQs1bHElFyTZ1j/ximzQIyzbKfqckUfjIUAdCw1xhNKACQM03ChL66S3A/10WCaQpIg==', 'NemRR74GuFeBX0Pah/zNQi+BBp7QkhhOX1QI13L6NA221Dd8YqfnJY9fDD8LnWTO', 'ZMSQ6e+NnH04XIOa64kGGdvKlYRs2qxMzJok9BMCZX5lEmSxH7EBIhUWmmqx6kZE85N1gcfJbfeYiDjoheDymYM/utSRlQCBFgjeKKpF6adG2kuhYpcvjYMKy9RX7Vq637S48tBIg8DTws1muF94Cg==', 'vLGGNPrP/vgHNEo781XNH1x3WBb1zc6kQm3RH1513n8ZBP2BtGfIcCCY5z0hzX0oEjgAvTnlNEhFMcWO9A0viA=
Source: vk_swiftshader.dll.4.drBinary string: ..\..\third_party\swiftshader\src\Device\Sampler.hpp
Source: vk_swiftshader.dll.4.drBinary string: ..\..\third_party\swiftshader\src\Device\Blitter.cpp
Source: vk_swiftshader.dll.4.drBinary string: ..\..\third_party\swiftshader\src\Device\Context.cpp%s:%d WARNING: UNSUPPORTED: VkIndexType %d
Source: vk_swiftshader.dll.4.drBinary string: ..\..\third_party\swiftshader\src\Device\Context.cpp
Source: vk_swiftshader.dll.4.drBinary string: ..\..\third_party\swiftshader\src\Device\Sampler.hpp%s:%d WARNING: UNSUPPORTED: VkImageViewType %d
Source: vk_swiftshader.dll.4.drBinary string: ..\..\third_party\swiftshader\src\Device\Blitter.cpp%s:%d WARNING: UNSUPPORTED: Blitter source format %d
Source: vk_swiftshader.dll.4.drBinary string: =..\..\third_party\swiftshader\src\Device\Renderer.cpp%s:%d WARNING: UNSUPPORTED: polygon mode: %d
Source: vk_swiftshader.dll.4.drBinary string: =..\..\third_party\swiftshader\src\Device\Renderer.cpp
Source: classification engineClassification label: mal80.winEXE@219/110@0/10
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F1
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 4_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_004034CC
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_004048BC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004048BC
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_00402173 CoCreateInstance,MultiByteToWideChar,0_2_00402173
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeFile created: C:\Users\user\AppData\Roaming\PinballJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMutant created: NULL
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_Pinball_Logs_rendLog.txt
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_Pinball_Logs_mainLog.txt
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeFile created: C:\Users\user\AppData\Local\Temp\nsd4529.tmpJump to behavior
Source: ZXQ3AcEN5Q.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: ZXQ3AcEN5Q.exeReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeFile read: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ZXQ3AcEN5Q.exe "C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=2976 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3552 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3604 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193665001 --mojo-platform-channel-handle=3208 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193778155 --mojo-platform-channel-handle=3812 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe C:\Users\user\AppData\Roaming\Pinball\Pinball.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=2976 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3552 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3604 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193665001 --mojo-platform-channel-handle=3208 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193778155 --mojo-platform-channel-handle=3812 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: audioses.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: chrome_elf.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mdmregistration.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mdmregistration.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: omadmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dmcmnutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iri.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscms.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.gaming.input.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: xinput1_4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: xinput1_4.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: hid.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: chrome_elf.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mf.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rtworkq.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: chrome_elf.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: chrome_elf.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dbghelp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: chrome_elf.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeSection loaded: iertutil.dll
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PinballJump to behavior
Source: ZXQ3AcEN5Q.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\vk_swiftshader.dll.pdb source: vk_swiftshader.dll.4.dr
Source: Binary string: libEGL.dll.pdb source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: Pinball.exe, Pinball.exe, 00000009.00000002.3323466741.0000000005059000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: e:\work\newContent\secondBranch\new\Pinball\obj\Release\Pinball.pdb source: Pinball.exe, 00000005.00000000.3187601886.0000000000FE2000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: Pinball.exe, 00000009.00000002.3323466741.0000000005059000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: Pinball.exe, 0000000B.00000002.3319682960.0000000004A32000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\Pinball\Pinball.exeirewall.dlll.pdbC:\Users\user\AppData\Roaming\Pinball\Uninstall.exenballdll source: setup.exe, 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmp
Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: Pinball.exe, Pinball.exe, 0000000B.00000002.3319682960.0000000004A32000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 00000004.00000002.3299690784.00000000005A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 00000004.00000002.3299690784.00000000005A7000.00000004.00000020.00020000.00000000.sdmp
Source: Newtonsoft.Json.dll.4.drStatic PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,0_2_100010D0
Source: chrome_elf.dll.4.drStatic PE information: section name: .00cfg
Source: chrome_elf.dll.4.drStatic PE information: section name: .crthunk
Source: chrome_elf.dll.4.drStatic PE information: section name: CPADinfo
Source: chrome_elf.dll.4.drStatic PE information: section name: malloc_h
Source: libEGL.dll.4.drStatic PE information: section name: .00cfg
Source: libGLESv2.dll.4.drStatic PE information: section name: .00cfg
Source: libcef.dll.4.drStatic PE information: section name: .00cfg
Source: libcef.dll.4.drStatic PE information: section name: .rodata
Source: libcef.dll.4.drStatic PE information: section name: CPADinfo
Source: libcef.dll.4.drStatic PE information: section name: malloc_h
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 7_2_01434A70 push 550178CBh; retf 7_2_01434B0D
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 36_2_00B365F5 push cs; retn 0004h36_2_00B36602
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 36_2_00B36628 push cs; retn 0004h36_2_00B3663A
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 36_2_00B359B7 push es; retn 0004h36_2_00B359BA
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeCode function: 36_2_00B35911 push es; retn 0004h36_2_00B35932
Source: Ionic.Zip.dll.4.drStatic PE information: section name: .text entropy: 6.821349263259562
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\swiftshader\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\chrome_elf.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\swiftshader\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeFile created: C:\Users\user\AppData\Local\Temp\nsd452B.tmp\blowfish.dllJump to dropped file
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].datJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\Del.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\Uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeFile created: C:\Users\user\AppData\Local\Temp\setup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsuEC72.tmp\liteFirewall.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\widevinecdmadapter.dllJump to dropped file
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeFile created: C:\Users\user\AppData\Local\Temp\nsd452B.tmp\nsProcess.dllJump to dropped file
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeFile created: C:\Users\user\AppData\Local\Temp\nsd452B.tmp\INetC.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\libcef.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\vulkan-1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\Pinball\log4net.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PinballJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PinballJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 3150000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 3380000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 1430000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 5050000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 11E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2D90000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: B10000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2540000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2340000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2870000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2AF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2A10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 8F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2400000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2220000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: F50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2CA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2AE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 1710000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 32F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 52F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 26C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 28B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 48B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 29C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2B90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 4B90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: B10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2700000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 4700000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2860000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2B20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2860000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 1380000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2CF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 4CF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: F70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2B90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 4B90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 11D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2EC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 4EC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 11D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2E00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2D40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 10C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2B60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 4B60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: E60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2820000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 4820000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 1030000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2AF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 4AF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: C10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2790000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 4790000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2E50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 30F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2E50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 3000000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 31E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 3120000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2B70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2D80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2B70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 3010000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 31F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 51F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2B90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2DC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2C00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: B30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2800000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 4800000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: D40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 28A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 48A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2630000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2880000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 26B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 29A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2BF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 29A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 10A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2A70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 10A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: B30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2730000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 4730000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 1460000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2FC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2DF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 17F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 3290000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 3090000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2590000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 2700000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: 4700000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\swiftshader\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\libGLESv2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsuEC72.tmp\liteFirewall.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\swiftshader\libGLESv2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\widevinecdmadapter.dllJump to dropped file
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd452B.tmp\blowfish.dllJump to dropped file
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd452B.tmp\nsProcess.dllJump to dropped file
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd452B.tmp\INetC.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\libcef.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Del.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\vulkan-1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pinball\log4net.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe TID: 6456Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe TID: 6104Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_00405B6F CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405B6F
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_00406724 FindFirstFileA,FindClose,0_2_00406724
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_004027AA FindFirstFileA,0_2_004027AA
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 4_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,4_2_00405B4A
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 4_2_004066FF FindFirstFileA,FindClose,4_2_004066FF
Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 4_2_004027AA FindFirstFileA,4_2_004027AA
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeThread delayed: delay time: 600000Jump to behavior
Source: ZXQ3AcEN5Q.exe, 00000000.00000002.3307432988.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, ZXQ3AcEN5Q.exe, 00000000.00000003.3305064211.00000000006D9000.00000004.00000020.00020000.00000000.sdmp, ZXQ3AcEN5Q.exe, 00000000.00000003.3304493544.00000000006D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnJ-9m
Source: ZXQ3AcEN5Q.exe, 00000000.00000002.3306832629.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, ZXQ3AcEN5Q.exe, 00000000.00000003.3304493544.00000000006F6000.00000004.00000020.00020000.00000000.sdmp, ZXQ3AcEN5Q.exe, 00000000.00000003.3304493544.00000000006A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Pinball.exe, 00000009.00000002.3306728305.000000000078B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeAPI call chain: ExitProcess graph end nodegraph_0-3499
Source: C:\Users\user\AppData\Local\Temp\setup.exeAPI call chain: ExitProcess graph end nodegraph_4-3648
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,0_2_100010D0
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=2976 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3552 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3604 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193665001 --mojo-platform-channel-handle=3208 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193778155 --mojo-platform-channel-handle=3812 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "c:\users\user\appdata\roaming\pinball\pinball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/125.0.6422.53 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\pinball\debug.log" --mojo-platform-channel-handle=2976 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "c:\users\user\appdata\roaming\pinball\pinball.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/125.0.6422.53 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\pinball\debug.log" --mojo-platform-channel-handle=3552 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "c:\users\user\appdata\roaming\pinball\pinball.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/125.0.6422.53 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\pinball\debug.log" --mojo-platform-channel-handle=3604 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "c:\users\user\appdata\roaming\pinball\pinball.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/125.0.6422.53 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\pinball\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193665001 --mojo-platform-channel-handle=3208 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "c:\users\user\appdata\roaming\pinball\pinball.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/125.0.6422.53 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\pinball\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193778155 --mojo-platform-channel-handle=3812 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "c:\users\user\appdata\roaming\pinball\pinball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/125.0.6422.53 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\pinball\debug.log" --mojo-platform-channel-handle=2976 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "c:\users\user\appdata\roaming\pinball\pinball.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/125.0.6422.53 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\pinball\debug.log" --mojo-platform-channel-handle=3552 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "c:\users\user\appdata\roaming\pinball\pinball.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/125.0.6422.53 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\pinball\debug.log" --mojo-platform-channel-handle=3604 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "c:\users\user\appdata\roaming\pinball\pinball.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/125.0.6422.53 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\pinball\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193665001 --mojo-platform-channel-handle=3208 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeProcess created: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe "c:\users\user\appdata\roaming\pinball\pinball.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; k) applewebkit/537.36 (khtml, like gecko) chrome/125.0.6422.53 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\pinball\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193778155 --mojo-platform-channel-handle=3812 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeQueries volume information: C:\Users\user\AppData\Roaming\Pinball\log4net.dll VolumeInformation
Source: C:\Users\user\Desktop\ZXQ3AcEN5Q.exeCode function: 0_2_004034F1 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F1
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Roaming\Pinball\Pinball.exeDirectory queried: number of queries: 1229

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services11
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
Registry Run Keys / Startup Folder		1
Windows Service		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		11
Process Injection		31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Registry Run Keys / Startup Folder		1
Access Token Manipulation		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading		11
Process Injection		LSA Secrets12
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials14
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Timestomp		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
DLL Side-Loading		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1445843 Sample: ZXQ3AcEN5Q.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 80 81 Antivirus detection for URL or domain 2->81 83 Antivirus detection for dropped file 2->83 85 Antivirus / Scanner detection for submitted sample 2->85 87 3 other signatures 2->87 8 ZXQ3AcEN5Q.exe 4 34 2->8         started        12 Pinball.exe 2->12         started        process3 dnsIp4 71 172.67.133.129 CLOUDFLARENETUS United States 8->71 55 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 8->55 dropped 57 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 8->57 dropped 59 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 8->59 dropped 61 2 other files (none is malicious) 8->61 dropped 14 setup.exe 9 112 8->14         started        18 Pinball.exe 12->18         started        20 Pinball.exe 12->20         started        22 Pinball.exe 12->22         started        24 10 other processes 12->24 file5 process6 file7 63 C:\Users\user\AppData\...\vulkan-1.dll, PE32 14->63 dropped 65 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32 14->65 dropped 67 C:\Users\user\AppData\...\libGLESv2.dll, PE32 14->67 dropped 69 16 other files (13 malicious) 14->69 dropped 93 Antivirus detection for dropped file 14->93 26 Pinball.exe 18 23 14->26         started        30 Pinball.exe 18->30         started        32 Pinball.exe 18->32         started        34 Pinball.exe 18->34         started        38 3 other processes 18->38 36 Pinball.exe 20->36         started        40 3 other processes 20->40 42 2 other processes 22->42 44 2 other processes 24->44 signatures8 process9 dnsIp10 73 104.21.45.251 CLOUDFLARENETUS United States 26->73 89 Antivirus detection for dropped file 26->89 91 Machine Learning detection for dropped file 26->91 46 Pinball.exe 2 26->46         started        49 Pinball.exe 2 26->49         started        51 Pinball.exe 2 26->51         started        53 2 other processes 26->53 signatures11 process12 dnsIp13 75 139.45.195.8 RETN-ASEU Netherlands 46->75 77 139.45.197.237 RETN-ASEU Netherlands 46->77 79 6 other IPs or domains 46->79

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ZXQ3AcEN5Q.exe44%ReversingLabsWin32.Trojan.Generic
ZXQ3AcEN5Q.exe100%AviraTR/Dldr.Agent.rbzkh

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\setup.exe100%AviraHEUR/AGEN.1359405
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat100%AviraHEUR/AGEN.1359405
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe100%AviraHEUR/AGEN.1352426
C:\Users\user\AppData\Roaming\Pinball\Del.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat3%ReversingLabsWin32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\nsd452B.tmp\INetC.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsd452B.tmp\blowfish.dll5%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsd452B.tmp\nsProcess.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsuEC72.tmp\liteFirewall.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\setup.exe3%ReversingLabsWin32.Trojan.Generic
C:\Users\user\AppData\Roaming\Pinball\Del.exe7%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Pinball.exe4%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\chrome_elf.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dll3%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\libEGL.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\libGLESv2.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\libcef.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\log4net.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\swiftshader\libEGL.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\swiftshader\libGLESv2.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\vulkan-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pinball\widevinecdmadapter.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape0%URL Reputationsafe
https://support.google.com/chrome/answer/60988690%URL Reputationsafe
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-Atom0%URL Reputationsafe
https://photos.google.com/settings?referrer=CHROME_NTP0%URL Reputationsafe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash0%URL Reputationsafe
https://passwords.google.com0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges0%URL Reputationsafe
https://support.google.com/chromebook?p=app_intent0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter0%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape0%URL Reputationsafe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl0%URL Reputationsafe
http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
https://support.google.com/chrome/answer/6098869?hl=es0%Avira URL Cloudsafe
http://www.apache.org/licenses/LICEN0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://support.google.com/chrome/a/answer/91222840%URL Reputationsafe
https://passwords.google.comcuenta0%Avira URL Cloudsafe
https://taujoore.com/js/_each-land-config.e2fae13c.js100%Avira URL Cloudphishing
https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern0%URL Reputationsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter0%Avira URL Cloudsafe
https://taujoore.com/js/config/comments/en-sweep.json100%Avira URL Cloudphishing
https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionado0%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#sec-term0%Avira URL Cloudsafe
https://www.google.com/chrome/privacy/eula_text.html0%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit0%Avira URL Cloudsafe
https://taujoore.com/js/config/dict/cookie-consent-1.json?v=10100%Avira URL Cloudphishing
http://crbug.com/5102700%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://taujoore.com/js/_core-survey.1b09882a.js100%Avira URL Cloudphishing
https://chrome.google.com/webstore?hl=urCtrl$20%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit0%Avira URL Cloudsafe
https://taujoore.com/css/sweeps-survey.f5ae42b0.css100%Avira URL Cloudphishing
https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix0%Avira URL Cloudsafe
https://taujoore.com/pfe/current/stattag.js100%Avira URL Cloudphishing
https://chrome.google.com/webstore?hl=ltCtrl$10%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence0%Avira URL Cloudsafe
http://crbug.com/3780670%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier0%Avira URL Cloudsafe
http://zhngxie.wf/22_2/huge.dat100%Avira URL Cloudphishing
https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter0%Avira URL Cloudsafe
http://crbug.com/4973010%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=elCtrl$10%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=th&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://www.google.com/cloudprint0%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape0%Avira URL Cloudsafe
https://taujoore.com/css/_core-survey.d3ac2ee0.css100%Avira URL Cloudphishing
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape0%Avira URL Cloudsafe
http://bageyou.xyz0%Avira URL Cloudsafe
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%220%Avira URL Cloudsafe
http://logging.apache.org/log4ne0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
http://zhngxie.wf/22_2/huge.datxo&l100%Avira URL Cloudphishing
http://crbug.com/6421410%Avira URL Cloudsafe
https://taujoore.com/js/v-redux-toolkit.esm.js.fe3487ca.js100%Avira URL Cloudphishing
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence0%Avira URL Cloudsafe
https://taujoore.com/img/comments/person-sweep-1.webp100%Avira URL Cloudphishing
http://crbug.com/9577720%Avira URL Cloudsafe
https://taujoore.com/img/comments/person-sweep-7.webp100%Avira URL Cloudphishing
http://crbug.com/7175010%Avira URL Cloudsafe
https://chrome.google.com/webstore0%Avira URL Cloudsafe
http://crbug.com/8391890%Avira URL Cloudsafe
https://www.google.com/chrome/privacy/eula_text.html&0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://taujoore.com/img/sweep/tokens10k.png100%Avira URL Cloudphishing
https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://taujoore.com/img/comments/person-sweep-6.webp100%Avira URL Cloudphishing
https://www.google.com/chrome/privacy/eula_text.htmlT&r0%Avira URL Cloudsafe
http://crbug.com/8194040%Avira URL Cloudsafe
https://taujoore.com/sweeps-survey.html?offer_id=2755&geo=US&oaid=8c07f0967c0458754456ed3919b9d5f6&s100%Avira URL Cloudmalware
http://crbug.com/5146960%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=el&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://taujoore.com/js/s-checkLocalStorageAvailable.ts.f2fef93d.js100%Avira URL Cloudphishing
https://chrome.google.com/webstore?hl=ukCtrl$10%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://taujoore.com/js/v-react-dom.production.min.js.c3329619.js100%Avira URL Cloudphishing
http://api.install-stat.debug.world/clients/installs0%Avira URL Cloudsafe
https://taujoore.com/js/s-checkSessionStorageAvailable.ts.e8412d91.js100%Avira URL Cloudphishing
https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative0%Avira URL Cloudsafe
https://raw.githubusercontent.com/rust-lang/rust/0%Avira URL Cloudsafe
https://chrome.google.com/webstore/0%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
https://taujoore.com/js/sweeps-survey.724f05c4.js100%Avira URL Cloudphishing
https://www.google.com/0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity0%Avira URL Cloudsafe
https://chrome.google.com/webstore?hl=zh-CNCtrl$10%Avira URL Cloudsafe
https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC10%Avira URL Cloudsafe
https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter0%Avira URL Cloudsafe
https://taujoore.com/img/comments/person-sweep-4.webp100%Avira URL Cloudphishing

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/js/config/comments/en-sweep.jsonPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmptrue
  • Avira URL Cloud: phishing
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDashdevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#sec-atomescapedevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
https://support.google.com/chrome/answer/6098869?hl=eses.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
http://www.apache.org/licenses/LICENPinball.exefalse
  • Avira URL Cloud: safe
unknown
https://support.google.com/chrome/answer/6098869setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, bg.pak.4.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacterdevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://www.google.com/chrome/privacy/eula_text.htmlsetup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, el.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, bg.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://www.google.com/chrome/privacy/eula_text.htmlAy&udaGestionadoes.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://passwords.google.comcuentaes.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/js/_each-land-config.e2fae13c.jsPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmptrue
  • Avira URL Cloud: phishing
unknown
http://logging.apache.org/log4net/release/faq.html#trouble-EventLogPinball.exe, 0000000B.00000002.3319682960.0000000004A32000.00000002.00000001.01000000.0000000C.sdmpfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Atomdevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#sec-termdevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/js/config/dict/cookie-consent-1.json?v=10Pinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://taujoore.com/js/_core-survey.1b09882a.jsPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigitdevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
http://crbug.com/510270cef_extensions.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?ues.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/css/sweeps-survey.f5ae42b0.cssPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigitdevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=urCtrl$2setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/pfe/current/stattag.jsPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefixdevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
http://crbug.com/378067cef_extensions.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://photos.google.com/settings?referrer=CHROME_NTPsetup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequencedevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=ltCtrl$1lt.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlsetup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDashdevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifierdevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
http://zhngxie.wf/22_2/huge.datZXQ3AcEN5Q.exe, 00000000.00000003.3304493544.00000000006A6000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://chrome.google.com/webstore?hl=elCtrl$1el.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacterdevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://www.google.com/cloudprintcef.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://passwords.google.comsetup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, bg.pak.4.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomdevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertiondevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
http://crbug.com/497301cef.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=th&category=theme81https://myactivity.google.com/myactivity/?uth.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscapedevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscapedevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/css/_core-survey.d3ac2ee0.cssPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
http://bageyou.xyzPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://crbug.com/642141cef_extensions.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
http://logging.apache.org/log4nePinball.exefalse
  • Avira URL Cloud: safe
unknown
http://zhngxie.wf/22_2/huge.datxo&lZXQ3AcEN5Q.exe, 00000000.00000002.3306832629.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, ZXQ3AcEN5Q.exe, 00000000.00000003.3304493544.00000000006A6000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRangesdevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
https://taujoore.com/js/v-redux-toolkit.esm.js.fe3487ca.jsPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://taujoore.com/img/comments/person-sweep-1.webpPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://support.google.com/chromebook?p=app_intentsetup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequencedevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
http://crbug.com/717501cef.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
http://crbug.com/957772cef_extensions.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/img/comments/person-sweep-7.webpPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesdevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
http://crbug.com/839189cef.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstorecef.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscapedevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
https://taujoore.com/img/sweep/tokens10k.pngPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digitsdevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscapedevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetterdevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?uPinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/img/comments/person-sweep-6.webpPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
http://nsis.sf.net/NSIS_ErrorErrorZXQ3AcEN5Q.exefalse
  • URL Reputation: safe
unknown
https://www.google.com/chrome/privacy/eula_text.html&setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?ult.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://www.google.com/chrome/privacy/eula_text.htmlT&rsetup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://crbug.com/819404cef_extensions.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscapedevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=el&category=theme81https://myactivity.google.com/myactivity/?uel.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/sweeps-survey.html?offer_id=2755&geo=US&oaid=8c07f0967c0458754456ed3919b9d5f6&sPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmp, Pinball.exe, 0000000B.00000002.3306302613.00000000004FA000.00000004.00000010.00020000.00000000.sdmpfalse
  • Avira URL Cloud: malware
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Termdevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
http://crbug.com/514696cef.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlsetup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, Pinball.exe, 00000008.00000002.3323529758.0000000005750000.00000002.00000001.00040000.0000001D.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drfalse
  • URL Reputation: safe
unknown
http://nsis.sf.net/NSIS_Errorsetup.exe, setup.exe, 00000004.00000003.3187681464.00000000005DD000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000004.00000000.2932520545.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmp, ZXQ3AcEN5Q.exefalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=ukCtrl$1setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, uk.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/js/s-checkLocalStorageAvailable.ts.f2fef93d.jsPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://taujoore.com/js/v-react-dom.production.min.js.c3329619.jsPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
http://api.install-stat.debug.world/clients/installsPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/js/s-checkSessionStorageAvailable.ts.e8412d91.jsPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Alternativedevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://support.google.com/chrome/a/answer/9122284setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, el.pak.4.dr, lt.pak.4.dr, th.pak.4.dr, uk.pak.4.dr, es.pak.4.dr, bg.pak.4.drfalse
  • URL Reputation: safe
unknown
https://raw.githubusercontent.com/rust-lang/rust/devtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigitsdevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore/cef.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmp, uk.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://www.google.com/cef.pak.4.drfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/js/sweeps-survey.724f05c4.jsPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-Patterndevtools_resources.pak.4.drfalse
  • URL Reputation: safe
unknown
https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivitysetup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://chrome.google.com/webstore?hl=zh-CNCtrl$1setup.exe, 00000004.00000002.3301119357.000000000283A000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1Pinball.exe, Pinball.exe, 0000000B.00000002.3320055780.0000000004A76000.00000002.00000001.01000000.0000000C.sdmp, Pinball.exe, 0000000B.00000002.3319682960.0000000004A32000.00000002.00000001.01000000.0000000C.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://taujoore.com/img/comments/person-sweep-4.webpPinball.exe, 0000000B.00000002.3314628400.0000000002401000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: phishing
unknown
https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacterdevtools_resources.pak.4.drfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
162.159.61.3
unknownUnited States
13335CLOUDFLARENETUSfalse
1.1.1.1
unknownAustralia
13335CLOUDFLARENETUSfalse
139.45.197.248
unknownNetherlands
9002RETN-ASEUfalse
139.45.197.237
unknownNetherlands
9002RETN-ASEUfalse
188.114.97.3
unknownEuropean Union
13335CLOUDFLARENETUSfalse
139.45.195.8
unknownNetherlands
9002RETN-ASEUfalse
37.48.68.71
unknownNetherlands
60781LEASEWEB-NL-AMS-01NetherlandsNLfalse
172.67.133.129
unknownUnited States
13335CLOUDFLARENETUSfalse
104.21.45.251
unknownUnited States
13335CLOUDFLARENETUSfalse
172.64.41.3
unknownUnited States
13335CLOUDFLARENETUSfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1445843
Start date and time:2024-05-22 17:13:50 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 15m 7s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Run with higher sleep bypass
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Sample name:ZXQ3AcEN5Q.exe
renamed because original name is a hash value
Original Sample Name:8ceb54209abb88fbc1c17fcb1035fb49.exe
Detection:MAL
Classification:mal80.winEXE@219/110@0/10
EGA Information:
  • Successful, ratio: 30%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 430
  • Number of non-executed functions: 55
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

  • Connection to analysis system has been lost, crash info: Unknown
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
  • Execution Graph export aborted for target Pinball.exe, PID 1020 because it is empty
  • Execution Graph export aborted for target Pinball.exe, PID 1560 because it is empty
  • Execution Graph export aborted for target Pinball.exe, PID 1868 because it is empty
  • Execution Graph export aborted for target Pinball.exe, PID 5160 because it is empty
  • Execution Graph export aborted for target Pinball.exe, PID 5176 because it is empty
  • Execution Graph export aborted for target Pinball.exe, PID 6412 because it is empty
  • Execution Graph export aborted for target Pinball.exe, PID 7004 because it is empty
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • Skipping network analysis since amount of network traffic is too extensive
  • VT rate limit hit for: ZXQ3AcEN5Q.exe

Simulations

Behavior and APIs

TimeTypeDescription
17:16:37AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Pinball C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
17:16:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Pinball C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
162.159.61.30af4a52e.0cce76886785b0ff1283f346.workers.devemailantonio.cataneo@axactor.com.msgGet hashmaliciousHTMLPhisherBrowse
    file.exeGet hashmaliciousFormBookBrowse
      n6N8r2RjfaGet hashmaliciousUnknownBrowse
        Setup (1).exeGet hashmaliciousUnknownBrowse
          LametaSetup.exeGet hashmaliciousUnknownBrowse
            LametaSetup.exeGet hashmaliciousUnknownBrowse
              file.exeGet hashmaliciousFormBookBrowse
                file.exeGet hashmaliciousUnknownBrowse
                  file.exeGet hashmaliciousUnknownBrowse
                    SilentCrypto.exeGet hashmaliciousUnknownBrowse
                      1.1.1.1PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                      • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
                      AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
                      • 1.1.1.1/
                      INVOICE_90990_PDF.exeGet hashmaliciousFormBookBrowse
                      • www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
                      Go.exeGet hashmaliciousUnknownBrowse
                      • 1.1.1.1/
                      139.45.197.237http://thaudray.comGet hashmaliciousUnknownBrowse
                      • thaudray.com/favicon.ico
                      188.114.97.3SSDQ115980924.exeGet hashmaliciousFormBookBrowse
                      • www.ilodezu.com/z48v/
                      http://twomancake.comGet hashmaliciousUnknownBrowse
                      • twomancake.com/
                      125hGBgWz4WzJqk.exeGet hashmaliciousLokibotBrowse
                      • merckllc.top/kin/five/fre.php
                      ARRIVAL NOTICE.docGet hashmaliciousLokibotBrowse
                      • spencerstuartllc.top/evie2/five/fre.php
                      Inventory_list.xlsGet hashmaliciousUnknownBrowse
                      • i8.ae/cGrnN
                      Inventory_list.xlsGet hashmaliciousUnknownBrowse
                      • i8.ae/cGrnN
                      Pepsico LLC Company Profile.xlsGet hashmaliciousUnknownBrowse
                      • dokdo.in/iCM
                      https://url10.mailanyone.net/scanner?m=1s8UKG-0004E8-5Q&d=4%7Cmail%2F90%2F1716078000%2F1s8UKG-0004E8-5Q%7Cin10a%7C57e1b682%7C12862802%7C10019077%7C664946600FC17EE4BB6DF523D2A883B4&o=%2Fphta%3A%2Fmtsnail.yoe-n.gblpcosoe9%2Fac3-4-e9mth.h9&s=1mPfQBETHBPuKWtxkpT_CvbF_FcGet hashmaliciousHTMLPhisherBrowse
                      • epifn.sesquipea.com/epIFn/
                      SlHgSOYcMY.exeGet hashmaliciousUnknownBrowse
                      • htcmania.com/wp-admin/
                      PURCHASE ORDER_REQUEST.xla.xlsxGet hashmaliciousUnknownBrowse
                      • dokdo.in/

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      RETN-ASEUhttp://ct.ke/STUDENTS-FREE-LAPT0PSGet hashmaliciousUnknownBrowse
                      • 139.45.197.253
                      https://metamasskluginn.blogspot.hk/Get hashmaliciousUnknownBrowse
                      • 139.45.197.236
                      http://gaptooju.netGet hashmaliciousUnknownBrowse
                      • 139.45.197.245
                      http://iamgold-essakane.smartforum.xyzGet hashmaliciousUnknownBrowse
                      • 139.45.197.243
                      http://iamgold-essakane.smartforum.xyzGet hashmaliciousUnknownBrowse
                      • 139.45.197.243
                      https://iamgold24-recruter.smartforum.xyz/Get hashmaliciousUnknownBrowse
                      • 139.45.197.243
                      rnnTivv9Q5.elfGet hashmaliciousMiraiBrowse
                      • 87.245.240.139
                      https://ak.eessoong.com/4/5742330Get hashmaliciousUnknownBrowse
                      • 139.45.197.236
                      http://omnatuor.comGet hashmaliciousUnknownBrowse
                      • 139.45.197.227
                      http://cohawaut.comGet hashmaliciousUnknownBrowse
                      • 139.45.197.228
                      RETN-ASEUhttp://ct.ke/STUDENTS-FREE-LAPT0PSGet hashmaliciousUnknownBrowse
                      • 139.45.197.253
                      https://metamasskluginn.blogspot.hk/Get hashmaliciousUnknownBrowse
                      • 139.45.197.236
                      http://gaptooju.netGet hashmaliciousUnknownBrowse
                      • 139.45.197.245
                      http://iamgold-essakane.smartforum.xyzGet hashmaliciousUnknownBrowse
                      • 139.45.197.243
                      http://iamgold-essakane.smartforum.xyzGet hashmaliciousUnknownBrowse
                      • 139.45.197.243
                      https://iamgold24-recruter.smartforum.xyz/Get hashmaliciousUnknownBrowse
                      • 139.45.197.243
                      rnnTivv9Q5.elfGet hashmaliciousMiraiBrowse
                      • 87.245.240.139
                      https://ak.eessoong.com/4/5742330Get hashmaliciousUnknownBrowse
                      • 139.45.197.236
                      http://omnatuor.comGet hashmaliciousUnknownBrowse
                      • 139.45.197.227
                      http://cohawaut.comGet hashmaliciousUnknownBrowse
                      • 139.45.197.228
                      CLOUDFLARENETUShttps://worker-yellow-recipe-87f5.krevidajrezart.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                      • 104.17.25.14
                      https://forfbidrecrossboot.pages.dev/503.jsGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      https://url12.mailanyone.net/scanner?m=1s9N28-0000qa-3G&d=4%7Cmail%2F90%2F1716288000%2F1s9N28-0000qa-3G%7Cin12d%7C57e1b682%7C11949542%7C14589158%7C664C7BD820EF00EA9CDA64C5861AF4A9&o=%2Fphta%3A%2Fvtslekssiaipcr.te%2Ftoenscino-x-pk%2F6tRunvbhyfphp.x&s=qPX4ToIpiLV6GTYf9V69nGT5pssGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                      • 104.17.2.184
                      2T6MGxlKZT.exeGet hashmaliciousSmokeLoaderBrowse
                      • 104.21.76.57
                      SOA_41457.exeGet hashmaliciousAgentTeslaBrowse
                      • 172.67.74.152
                      http://sonarr.vertras.xyzGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      file.exeGet hashmaliciousUnknownBrowse
                      • 172.67.147.32
                      EST- 250424-0370pdf.exeGet hashmaliciousFormBookBrowse
                      • 188.114.96.3
                      http://ct.ke/STUDENTS-FREE-LAPT0PSGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      CLOUDFLARENETUShttps://worker-yellow-recipe-87f5.krevidajrezart.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                      • 104.17.25.14
                      https://forfbidrecrossboot.pages.dev/503.jsGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      https://url12.mailanyone.net/scanner?m=1s9N28-0000qa-3G&d=4%7Cmail%2F90%2F1716288000%2F1s9N28-0000qa-3G%7Cin12d%7C57e1b682%7C11949542%7C14589158%7C664C7BD820EF00EA9CDA64C5861AF4A9&o=%2Fphta%3A%2Fvtslekssiaipcr.te%2Ftoenscino-x-pk%2F6tRunvbhyfphp.x&s=qPX4ToIpiLV6GTYf9V69nGT5pssGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                      • 104.17.2.184
                      2T6MGxlKZT.exeGet hashmaliciousSmokeLoaderBrowse
                      • 104.21.76.57
                      SOA_41457.exeGet hashmaliciousAgentTeslaBrowse
                      • 172.67.74.152
                      http://sonarr.vertras.xyzGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      file.exeGet hashmaliciousUnknownBrowse
                      • 172.67.147.32
                      EST- 250424-0370pdf.exeGet hashmaliciousFormBookBrowse
                      • 188.114.96.3
                      http://ct.ke/STUDENTS-FREE-LAPT0PSGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      CLOUDFLARENETUShttps://worker-yellow-recipe-87f5.krevidajrezart.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                      • 104.17.25.14
                      https://forfbidrecrossboot.pages.dev/503.jsGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      https://url12.mailanyone.net/scanner?m=1s9N28-0000qa-3G&d=4%7Cmail%2F90%2F1716288000%2F1s9N28-0000qa-3G%7Cin12d%7C57e1b682%7C11949542%7C14589158%7C664C7BD820EF00EA9CDA64C5861AF4A9&o=%2Fphta%3A%2Fvtslekssiaipcr.te%2Ftoenscino-x-pk%2F6tRunvbhyfphp.x&s=qPX4ToIpiLV6GTYf9V69nGT5pssGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                      • 104.17.2.184
                      2T6MGxlKZT.exeGet hashmaliciousSmokeLoaderBrowse
                      • 104.21.76.57
                      SOA_41457.exeGet hashmaliciousAgentTeslaBrowse
                      • 172.67.74.152
                      http://sonarr.vertras.xyzGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      file.exeGet hashmaliciousUnknownBrowse
                      • 172.67.147.32
                      EST- 250424-0370pdf.exeGet hashmaliciousFormBookBrowse
                      • 188.114.96.3
                      http://ct.ke/STUDENTS-FREE-LAPT0PSGet hashmaliciousUnknownBrowse
                      • 188.114.96.3

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].datW7EzWEmSx9.exeGet hashmaliciousSmokeLoaderBrowse
                        C:\Users\user\AppData\Local\Temp\nsd452B.tmp\blowfish.dllW7EzWEmSx9.exeGet hashmaliciousSmokeLoaderBrowse
                          file.exeGet hashmaliciousSmokeLoaderBrowse
                            SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exeGet hashmaliciousUnknownBrowse
                              SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exeGet hashmaliciousUnknownBrowse
                                C:\Users\user\AppData\Local\Temp\nsd452B.tmp\INetC.dllW7EzWEmSx9.exeGet hashmaliciousSmokeLoaderBrowse
                                  file.exeGet hashmaliciousSmokeLoaderBrowse
                                    SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exeGet hashmaliciousUnknownBrowse
                                      SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exeGet hashmaliciousUnknownBrowse
                                        SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exeGet hashmaliciousUnknownBrowse
                                          SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exeGet hashmaliciousUnknownBrowse
                                            SenOg8gPgc.exeGet hashmaliciousUnknownBrowse
                                              SenOg8gPgc.exeGet hashmaliciousUnknownBrowse
                                                8ubQTzsAqG.exeGet hashmaliciousUnknownBrowse

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\ZXQ3AcEN5Q.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                  Category:dropped
                                                  Size (bytes):107288450
                                                  Entropy (8bit):7.999947393622158
                                                  Encrypted:true
                                                  SSDEEP:3145728:UFB+Zfed0odbTmOg2qSbGqVpx8asKWDsV7Kilz:Cdd0odfmOzMqbxVsPsQ2
                                                  MD5:E4C96146FC1754DC1B99E96E0D7AEF91
                                                  SHA1:CD8FAEFFA579248A227D56456BD3ADCE3BEA5B73
                                                  SHA-256:5D26110245F9E7A33A73CC6B005D92EC7CF077880831428084C72A0BBB7A359F
                                                  SHA-512:84E65D94B647ECC2BD0149926EDB86A97497306F19F4F163AA24DDFED5C0568EF1B15AFC470B72555DBB2D947C1454709C16F994695F44449928937E406735A9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                  Joe Sandbox View:
                                                  • Filename: W7EzWEmSx9.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\nsd452A.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\ZXQ3AcEN5Q.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):60214
                                                  Entropy (8bit):5.610742625513486
                                                  Encrypted:false
                                                  SSDEEP:1536:mds731kqY3Q4Oc//////Q0LatojW/lX1Xb41:gs7323Sc//////Q3tojW/XXy
                                                  MD5:A27F7A7163166414654A3416FDB88A6D
                                                  SHA1:D16A2D801676F1A0424AE67812665D5FA0B1D9AA
                                                  SHA-256:865593ADDBF11AE04ABE04020724006B0411451016B4D757B87487029D539D3D
                                                  SHA-512:822CF5DB115D09AE9621704342FCE1FF570C44DB2A2C72A02FF2014D37138E10DD9F214BA82D22406657CC6C5ADB8BA0B273788ADF7253561459751A46D27C19
                                                  Malicious:false
                                                  Preview:&+......,........................$......L*......&+..............................................................................................................................................................................................................................................................j.......,.../...5.......3.......................................................................................................................N.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\nsd452B.tmp\INetC.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\ZXQ3AcEN5Q.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):22016
                                                  Entropy (8bit):5.668346578219837
                                                  Encrypted:false
                                                  SSDEEP:384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
                                                  MD5:92EC4DD8C0DDD8C4305AE1684AB65FB0
                                                  SHA1:D850013D582A62E502942F0DD282CC0C29C4310E
                                                  SHA-256:5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
                                                  SHA-512:581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: W7EzWEmSx9.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.7061.14046.exe, Detection: malicious, Browse
                                                  • Filename: SenOg8gPgc.exe, Detection: malicious, Browse
                                                  • Filename: SenOg8gPgc.exe, Detection: malicious, Browse
                                                  • Filename: 8ubQTzsAqG.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\nsd452B.tmp\blowfish.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\ZXQ3AcEN5Q.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):22528
                                                  Entropy (8bit):6.674611218414922
                                                  Encrypted:false
                                                  SSDEEP:384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
                                                  MD5:5AFD4A9B7E69E7C6E312B2CE4040394A
                                                  SHA1:FBD07ADB3F02F866DC3A327A86B0F319D4A94502
                                                  SHA-256:053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
                                                  SHA-512:F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                  Joe Sandbox View:
                                                  • Filename: W7EzWEmSx9.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Virus.Win32.Viking.11801.5207.exe, Detection: malicious, Browse
                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\nsd452B.tmp\nsProcess.dll

                                                  Download File
                                                  Process:C:\Users\user\Desktop\ZXQ3AcEN5Q.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4608
                                                  Entropy (8bit):4.666004851298707
                                                  Encrypted:false
                                                  SSDEEP:48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
                                                  MD5:FAA7F034B38E729A983965C04CC70FC1
                                                  SHA1:DF8BDA55B498976EA47D25D8A77539B049DAB55E
                                                  SHA-256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
                                                  SHA-512:7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\nsuEC72.tmp\liteFirewall.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):82944
                                                  Entropy (8bit):6.389604568119155
                                                  Encrypted:false
                                                  SSDEEP:1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
                                                  MD5:165E1EF5C79475E8C33D19A870E672D4
                                                  SHA1:965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
                                                  SHA-256:9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
                                                  SHA-512:CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\nsw8B75.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):358363994
                                                  Entropy (8bit):6.97215047543413
                                                  Encrypted:false
                                                  SSDEEP:3145728:yTzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSsfV97nN:ynUs4tvaVzTD9yN
                                                  MD5:616102790F0B6D2FCE10BCA39AC59CD2
                                                  SHA1:12665E992B48DEDC93DFCB56B9078C87B68E3AA7
                                                  SHA-256:291A6A64B059D7B22FD70A691B0FA9ADE13FF8120745FB217B5E86B3FBCE8056
                                                  SHA-512:B3E60390A83CA986BF30076873453AF34BD07DA3D9F4EDE52568F22D3858CC1284958C70CE1E79DE71728AA886291F2937A5625C2F4A6ADDAF068BA9D65D03B3
                                                  Malicious:false
                                                  Preview:........,.......................H...........................................................................................................................................................................................................................................................e...i...........~...j.......................3.......................................................................................................................t....V..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\setup.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\ZXQ3AcEN5Q.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                  Category:dropped
                                                  Size (bytes):107288450
                                                  Entropy (8bit):7.999947393622158
                                                  Encrypted:true
                                                  SSDEEP:3145728:UFB+Zfed0odbTmOg2qSbGqVpx8asKWDsV7Kilz:Cdd0odfmOzMqbxVsPsQ2
                                                  MD5:E4C96146FC1754DC1B99E96E0D7AEF91
                                                  SHA1:CD8FAEFFA579248A227D56456BD3ADCE3BEA5B73
                                                  SHA-256:5D26110245F9E7A33A73CC6B005D92EC7CF077880831428084C72A0BBB7A359F
                                                  SHA-512:84E65D94B647ECC2BD0149926EDB86A97497306F19F4F163AA24DDFED5C0568EF1B15AFC470B72555DBB2D947C1454709C16F994695F44449928937E406735A9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\DawnCache\data_0

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                  Category:dropped
                                                  Size (bytes):8192
                                                  Entropy (8bit):0.01057775872642915
                                                  Encrypted:false
                                                  SSDEEP:3:MsFl:/F
                                                  MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                  SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                  SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                  SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                  Malicious:false
                                                  Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\DawnCache\data_1

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8192
                                                  Entropy (8bit):0.012096502606932763
                                                  Encrypted:false
                                                  SSDEEP:3:MsEllllkXl:/M/6
                                                  MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                  SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                  SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                  SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\DawnCache\data_2

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8192
                                                  Entropy (8bit):0.011852361981932763
                                                  Encrypted:false
                                                  SSDEEP:3:MsHlDll:/H
                                                  MD5:0962291D6D367570BEE5454721C17E11
                                                  SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                  SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                  SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\DawnCache\data_3

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8192
                                                  Entropy (8bit):0.012340643231932763
                                                  Encrypted:false
                                                  SSDEEP:3:MsGl3ll:/y
                                                  MD5:41876349CB12D6DB992F1309F22DF3F0
                                                  SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                  SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                  SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\DawnCache\index

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                  Category:dropped
                                                  Size (bytes):262512
                                                  Entropy (8bit):9.553120663130604E-4
                                                  Encrypted:false
                                                  SSDEEP:3:LsNlzjX:Ls3zT
                                                  MD5:429373B4F2BDFF72443B600B3684552E
                                                  SHA1:397EBCC7AAFF22A135461F3CFC739D04DBD13F85
                                                  SHA-256:66E3EE117EEC9FB979874303E13D5C7CD2C9F533D24BD34B36C6FD1905A93CED
                                                  SHA-512:B85EC624BB8626B1B2F83E4DFBD379D3BE1EAE7D7EF6F1024557C95E70E8813B9A35B58A628A47A08BC0D53FC3EA8EABE3F7822697460F2E2346D1534584D239
                                                  Malicious:false
                                                  Preview:..........................................a..w/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\Del.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):8192
                                                  Entropy (8bit):4.622398838808078
                                                  Encrypted:false
                                                  SSDEEP:96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
                                                  MD5:97D4D47D539CB8171BE2AEFD64C6EBB1
                                                  SHA1:44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
                                                  SHA-256:8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
                                                  SHA-512:7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 7%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....*(....*....0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..*........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#...*...0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

                                                  C:\Users\user\AppData\Roaming\Pinball\GPUCache\data_0

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                  Category:dropped
                                                  Size (bytes):8192
                                                  Entropy (8bit):0.01057775872642915
                                                  Encrypted:false
                                                  SSDEEP:3:MsFl:/F
                                                  MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                  SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                  SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                  SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                  Malicious:false
                                                  Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\GPUCache\data_1

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8192
                                                  Entropy (8bit):0.012096502606932763
                                                  Encrypted:false
                                                  SSDEEP:3:MsEllllkXl:/M/6
                                                  MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                  SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                  SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                  SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\GPUCache\data_2

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8192
                                                  Entropy (8bit):0.011852361981932763
                                                  Encrypted:false
                                                  SSDEEP:3:MsHlDll:/H
                                                  MD5:0962291D6D367570BEE5454721C17E11
                                                  SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                  SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                  SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\GPUCache\data_3

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8192
                                                  Entropy (8bit):0.012340643231932763
                                                  Encrypted:false
                                                  SSDEEP:3:MsGl3ll:/y
                                                  MD5:41876349CB12D6DB992F1309F22DF3F0
                                                  SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                  SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                  SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                  Malicious:false
                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\GPUCache\index

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                  Category:dropped
                                                  Size (bytes):262512
                                                  Entropy (8bit):9.553120663130604E-4
                                                  Encrypted:false
                                                  SSDEEP:3:LsNluh5//:Ls3uh5//
                                                  MD5:3F44B486BD45DCD4C69E167AE38FA388
                                                  SHA1:07DCE282AD68945ECCFFC5E88B38A35AB0AA0B11
                                                  SHA-256:489443176833ED1D87FCB7700954956C9525CD91756DA69F04008691411F3A53
                                                  SHA-512:F91A13E75A1B644B8A2031E3477B0ACF78E52DB15EA1D4D4577EF99D9BE6133F1387BAC16D06C36AB710FCA35873E7C61B229635DFF3C25DD0F8D9C2829ED1D6
                                                  Malicious:false
                                                  Preview:........................................P.X..w/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\Ionic.Zip.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):462336
                                                  Entropy (8bit):6.803831500359682
                                                  Encrypted:false
                                                  SSDEEP:6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
                                                  MD5:6DED8FCBF5F1D9E422B327CA51625E24
                                                  SHA1:8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
                                                  SHA-256:3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
                                                  SHA-512:BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(....*...0..2........r...p(....}.......}"....(........(.........(....*..r...p(....}.......}"....(........(....*..0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...*rr!..p.{.....{.....B...(....*..0..A........{..

                                                  C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):574376
                                                  Entropy (8bit):5.8881470355864725
                                                  Encrypted:false
                                                  SSDEEP:12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
                                                  MD5:8F81C9520104B730C25D90A9DD511148
                                                  SHA1:7CF46CB81C3B51965C1F78762840EB5797594778
                                                  SHA-256:F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
                                                  SHA-512:B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D...*..{F.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                  C:\Users\user\AppData\Roaming\Pinball\Newtonsoft.Json.xml

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):561424
                                                  Entropy (8bit):4.606896607960262
                                                  Encrypted:false
                                                  SSDEEP:6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
                                                  MD5:928ED37DB61C1E98A2831C8C01F6157C
                                                  SHA1:98103C2133EBDA28BE78BFE3E2D81D41924A23EE
                                                  SHA-256:39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
                                                  SHA-512:F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
                                                  Malicious:false
                                                  Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

                                                  C:\Users\user\AppData\Roaming\Pinball\Pinball.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):296448
                                                  Entropy (8bit):5.661255804975676
                                                  Encrypted:false
                                                  SSDEEP:3072:XTpjcoTPzVVHaqwlnhblNKrsVPmlszai14OVzdvayfvYn6P:Dp/jBV6qIbYAzdyyq
                                                  MD5:4B690D1CA31A2224A761AD9D8690C94D
                                                  SHA1:D06807F49E724584B07948595B4A95FC3B953805
                                                  SHA-256:3C0B10F995830F947232B2C988B62D75587AE5C7676FF8A4BE632EF2DDDFD2C4
                                                  SHA-512:D7E09311F1167867CCB5579EADA3D0E7DDB17FCC7E081ECD24FF3E9ED57F4F6C639F6BC8CDBE4BC1F68EF3068C438A4D393361C38599D5CA6C129FF669A3E82D
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....0f..............0.............:.... ........@.. ....................................@....................................O.......l............................................................................ ............... ..H............text...`.... ...................... ..`.rsrc...l...........................@..@.reloc..............................@..B........................H....... ... ...........@...p............................................(....s....*Z..(....,...(....(....*.(....*..(....*..(....*.......*.~....*....0..W.......(....".....(......,..o....-..*.o.....+...( .....o....&..(!...-...........o"....."...BZ*.......%..A.......0..Q.......(....(........,..o....-..*.o.....+...( .....o....&.._...(!...-...........o".....*.........!. A.......0..V.......(....(......,..o....-.*~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

                                                  C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                  Category:dropped
                                                  Size (bytes):215868
                                                  Entropy (8bit):5.849250731809078
                                                  Encrypted:false
                                                  SSDEEP:3072:rFi6z/VXzAf3oc8+vat7fvYnDAdOVz5kPI:rxFSI+y1qk6zuPI
                                                  MD5:19465A2847A815EE6327B250B557717B
                                                  SHA1:8222694DA1ECFBC4B1D836B52D96AA43767FDABC
                                                  SHA-256:6049B5573430700AD8CBC4800FF210EDA1608914944B1C781D31CCFADEBBBC95
                                                  SHA-512:5FD0AEB5E379CA67CB995B87E6F7F5F5DE04816CB8BFFE722F07A8D80C74C084F28419D8E08AB83FC585E4C2C11ED202E4CC7897FB1133CF9BF1CE40C1F7B966
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\Xilium.CefGlue.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):875520
                                                  Entropy (8bit):5.621956468920589
                                                  Encrypted:false
                                                  SSDEEP:12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
                                                  MD5:B03C7F6072A0CB1A1D6A92EE7B82705A
                                                  SHA1:6675839C5E266075E7E1812AD8E856A2468274DD
                                                  SHA-256:F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
                                                  SHA-512:19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(....*..(....*..(....*^.(.......=...%...}....*:.(......}....*:.(......}....*^.(.......>...%...}....*:.(......}....*.(.........*....0..,.......(....o.......3..*....... ....3.(....-..*.*.*.0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..(".....*.*........+1...........4.......~....*.~....*..(....*.~....,.*.(#...-.(....-..(....+.r...ps$...z(..........*b.r...p(%...~.....(....&*.r

                                                  C:\Users\user\AppData\Roaming\Pinball\cef.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1946739
                                                  Entropy (8bit):7.989700491058983
                                                  Encrypted:false
                                                  SSDEEP:49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
                                                  MD5:96AD47D78A70B33158961585D9154ECC
                                                  SHA1:149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
                                                  SHA-256:C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
                                                  SHA-512:6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
                                                  Malicious:false
                                                  Preview:........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)*i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..*).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....).....*.....*F....*]....*3....*v....*....*v....*.....*.....*.....*$... *....!*8..."*....#*....$*....%*..

                                                  C:\Users\user\AppData\Roaming\Pinball\cef_100_percent.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):214119
                                                  Entropy (8bit):7.955451054538398
                                                  Encrypted:false
                                                  SSDEEP:6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
                                                  MD5:391F512173ECEC14EB5CE31299858DE1
                                                  SHA1:3A5A41A190C1FB682F9D9C84F500FF50308617FC
                                                  SHA-256:E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
                                                  SHA-512:44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
                                                  Malicious:false
                                                  Preview:........................#.b...&.....:.g....7.....7.....7.....7|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

                                                  C:\Users\user\AppData\Roaming\Pinball\cef_200_percent.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):290001
                                                  Entropy (8bit):7.9670215100557735
                                                  Encrypted:false
                                                  SSDEEP:6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
                                                  MD5:BF59A047984EAFC79E40B0011ED4116D
                                                  SHA1:DF747125F31F3FF7E3DFE5849F701C3483B32C5E
                                                  SHA-256:CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
                                                  SHA-512:85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
                                                  Malicious:false
                                                  Preview:........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L*....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N.*...N.+...Nv,...N.-...N;r...N.|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

                                                  C:\Users\user\AppData\Roaming\Pinball\cef_extensions.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1305142
                                                  Entropy (8bit):7.99463351416358
                                                  Encrypted:true
                                                  SSDEEP:24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
                                                  MD5:20DDA02AF522924E45223D7262D0E1ED
                                                  SHA1:378E88033A7083AAC24E6CD2144F7BC706F00837
                                                  SHA-256:8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
                                                  SHA-512:E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
                                                  Malicious:false
                                                  Preview:........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

                                                  C:\Users\user\AppData\Roaming\Pinball\cef_sandbox.lib

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:current ar archive
                                                  Category:dropped
                                                  Size (bytes):87182312
                                                  Entropy (8bit):5.477474753748716
                                                  Encrypted:false
                                                  SSDEEP:196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
                                                  MD5:FFD456A85E341D430AFA0C07C1068538
                                                  SHA1:59394310B45F7B2B2882D55ADD9310C692C7144F
                                                  SHA-256:F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
                                                  SHA-512:EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
                                                  Malicious:false
                                                  Preview:!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

                                                  C:\Users\user\AppData\Roaming\Pinball\chrome_100_percent.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):656926
                                                  Entropy (8bit):7.964275415195004
                                                  Encrypted:false
                                                  SSDEEP:12288:fI3Hdjzgsz5B0GDJQrnKs8SNP+QSsSilRBdNze0Vc+gIXgt4z8oO0TehEr7:g397zEEmPLSOdNze05gUgmz8oO0TOW
                                                  MD5:3404DD2B0E63D9418F755430336C7164
                                                  SHA1:0D7D8540FDC056BB741D9BAF2DC7A931C517C471
                                                  SHA-256:0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
                                                  SHA-512:685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
                                                  Malicious:false
                                                  Preview:..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;*....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...*<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

                                                  C:\Users\user\AppData\Roaming\Pinball\chrome_200_percent.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1017158
                                                  Entropy (8bit):7.951759131641406
                                                  Encrypted:false
                                                  SSDEEP:24576:m3Tl5zLmmibkFR8+mZRUumegvQtc05UwvdAbatzk6edhOLoe9:m3Tl53mNbkFRJmHURhQW05JvdlzkjrOH
                                                  MD5:3FBF52922588A52245DC927BCC36DBB3
                                                  SHA1:EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
                                                  SHA-256:C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
                                                  SHA-512:682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
                                                  Malicious:false
                                                  Preview:..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+*...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..*<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

                                                  C:\Users\user\AppData\Roaming\Pinball\chrome_elf.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1174528
                                                  Entropy (8bit):6.475826085865088
                                                  Encrypted:false
                                                  SSDEEP:24576:I3lp87thPKuxyj+tWF8lCwOvzr90p5OM3:FauY+tWF8b5OM3
                                                  MD5:207AC4BE98A6A5A72BE027E0A9904462
                                                  SHA1:D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
                                                  SHA-256:2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
                                                  SHA-512:BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_43.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):2106216
                                                  Entropy (8bit):6.4563314852745375
                                                  Encrypted:false
                                                  SSDEEP:49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
                                                  MD5:1C9B45E87528B8BB8CFA884EA0099A85
                                                  SHA1:98BE17E1D324790A5B206E1EA1CC4E64FBE21240
                                                  SHA-256:2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
                                                  SHA-512:B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\d3dcompiler_47.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4127200
                                                  Entropy (8bit):6.577665867424953
                                                  Encrypted:false
                                                  SSDEEP:49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd
                                                  MD5:3B4647BCB9FEB591C2C05D1A606ED988
                                                  SHA1:B42C59F96FB069FD49009DFD94550A7764E6C97C
                                                  SHA-256:35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
                                                  SHA-512:00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\devtools_resources.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2205743
                                                  Entropy (8bit):7.923318114432295
                                                  Encrypted:false
                                                  SSDEEP:49152:qHlbrhXKMVp/DVegxF2Xe1WFG4F3KMWB7rwz3yY+23:qFnhXKwggr0cWEgaMi7rwrw23
                                                  MD5:54D4E14BFF05C268248CAB2EEDFB61DD
                                                  SHA1:33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
                                                  SHA-256:2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
                                                  SHA-512:5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
                                                  Malicious:false
                                                  Preview:........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[.*...[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\*....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....*\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\.*..>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

                                                  C:\Users\user\AppData\Roaming\Pinball\icudtl.dat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):10717392
                                                  Entropy (8bit):6.282534560973548
                                                  Encrypted:false
                                                  SSDEEP:196608:hpgPBhORiuQwCliXUxbblHa93Whli6Z86WOH:n8wkDliXUxbblHa93Whli6Z8I
                                                  MD5:E0F1AD85C0933ECCE2E003A2C59AE726
                                                  SHA1:A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
                                                  SHA-256:F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
                                                  SHA-512:714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
                                                  Malicious:false
                                                  Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                  C:\Users\user\AppData\Roaming\Pinball\libEGL.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):377856
                                                  Entropy (8bit):6.602916265542373
                                                  Encrypted:false
                                                  SSDEEP:6144:oJ4tr7XVkL/2qBCOeRMIKVpqtXmzKwdo23zqyU73omBT095OiZH:2NfBCOeR/KVpqtio23zqyOsOo
                                                  MD5:8BC03B20348D4FEBE6AEDAA32AFBBF47
                                                  SHA1:B1843C83808D9C8FBA32181CD3A033C66648C685
                                                  SHA-256:CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
                                                  SHA-512:3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\libGLESv2.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):6635008
                                                  Entropy (8bit):6.832077162910607
                                                  Encrypted:false
                                                  SSDEEP:196608:HrmMLEFtac5bM68f8Oi3WjH13GzSW3430aTwQCe:a+ktad68f8Oi3oH13GztokaTwbe
                                                  MD5:63988D35D7AB96823B5403BE3C110F7F
                                                  SHA1:8CC4D3F4D2F1A2285535706961A26D02595AF55C
                                                  SHA-256:E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
                                                  SHA-512:D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\libcef.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):176517632
                                                  Entropy (8bit):7.025874989859836
                                                  Encrypted:false
                                                  SSDEEP:1572864:VSuR7JVHywK/Sf1rWID4Pu2v8zgguHWJEqM90Hw4DclJkBLrWXmfnehuWNIPKtlL:MCYRNIPKYTFBhfmOS9KBaVz
                                                  MD5:F5259CC7721CA2BCC8AC97B76B1D3C7A
                                                  SHA1:C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
                                                  SHA-256:3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
                                                  SHA-512:2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\libcef.lib

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:current ar archive
                                                  Category:dropped
                                                  Size (bytes):40258
                                                  Entropy (8bit):4.547436244061504
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:310744A0E10BD9C2C6F50C525E4447F9
                                                  SHA1:9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
                                                  SHA-256:E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
                                                  SHA-512:6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
                                                  Malicious:false
                                                  Preview:!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N|..N|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h*..h*..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\af.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):470498
                                                  Entropy (8bit):5.409080468053459
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:64F46DC20A140F2FA3D4677E7CD85DD1
                                                  SHA1:5A4102E3E34C1360F833507A48E61DFD31707377
                                                  SHA-256:BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
                                                  SHA-512:F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
                                                  Malicious:false
                                                  Preview:........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\am.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):763010
                                                  Entropy (8bit):4.909167677028143
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:3B0D0F3EC195A0796A6E2FAB0C282BFB
                                                  SHA1:6FCFCD102DE06A0095584A0186BD307AA49E49BD
                                                  SHA-256:F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
                                                  SHA-512:CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
                                                  Malicious:false
                                                  Preview:........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....|...........$.............................1.....}.........................................Z.................|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2*.....*.....*.....*.....+....",.....,

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\ar.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):838413
                                                  Entropy (8bit):4.920788245468804
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:C70B71B05A8CA5B8243C951B96D67453
                                                  SHA1:DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
                                                  SHA-256:5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
                                                  SHA-512:E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
                                                  Malicious:false
                                                  Preview:.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.|...w.....y.....z.....|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).....*....z*.....*.....*....t+.....,....{,.....,....--

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\bg.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):869469
                                                  Entropy (8bit):4.677916300869337
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:12A9400F521EC1D3975257B2061F5790
                                                  SHA1:100EA691E0C53B240C72EAEC15C84A686E808067
                                                  SHA-256:B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
                                                  SHA-512:31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
                                                  Malicious:false
                                                  Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\bn.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1118348
                                                  Entropy (8bit):4.2989199535081895
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:89A24AF99D5592AB8964B701F13E1706
                                                  SHA1:2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
                                                  SHA-256:5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
                                                  SHA-512:60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
                                                  Malicious:false
                                                  Preview:........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).....*....6*.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\ca.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):537139
                                                  Entropy (8bit):5.397688491907634
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:37B54705BD9620E69E7E9305CDFAC7AB
                                                  SHA1:D9059289D5A4CAB287F1F877470605ED6BBDA2C8
                                                  SHA-256:98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
                                                  SHA-512:42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
                                                  Malicious:false
                                                  Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................|...........".....>.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\cs.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):545011
                                                  Entropy (8bit):5.844949195905198
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:65A2C2A73232AB1073E44E0FB6310A5F
                                                  SHA1:F3158AA527538819C93F57E2C778198A94416C98
                                                  SHA-256:E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
                                                  SHA-512:20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
                                                  Malicious:false
                                                  Preview:.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\da.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):496165
                                                  Entropy (8bit):5.446061543230436
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:A44EC6AAA456A6129FD820CA75E968BE
                                                  SHA1:9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
                                                  SHA-256:F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
                                                  SHA-512:947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
                                                  Malicious:false
                                                  Preview:........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.".....*...../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q.............................*.....q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\de.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):534726
                                                  Entropy (8bit):5.49306456316532
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:49CA708EBB7A4913C36F7461F094886B
                                                  SHA1:13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
                                                  SHA-256:8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
                                                  SHA-512:6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
                                                  Malicious:false
                                                  Preview:.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\el.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):950999
                                                  Entropy (8bit):4.76377388695373
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:9CBC320E39CFF7C29F61BD367C0BF3BB
                                                  SHA1:2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
                                                  SHA-256:E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
                                                  SHA-512:F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
                                                  Malicious:false
                                                  Preview:........)$..e.H...h.P...i.X...j.b...k.q...l.|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....|&.....&.....'.....'....;(....t(.....(....M).....)....;*....h*....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\en-GB.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):430665
                                                  Entropy (8bit):5.517246002357965
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:0F1E2BC597771A8DB11D1D3AC59B84F3
                                                  SHA1:C1F782C550AC733852C6BED9AD62AB79FC004049
                                                  SHA-256:E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
                                                  SHA-512:07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
                                                  Malicious:false
                                                  Preview:.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[.......................*.....V.....a...........*.....l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\en-US.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):434598
                                                  Entropy (8bit):5.509004494756697
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:FEAB603B4C7520CCFA84D48B243B1EC0
                                                  SHA1:E04138F1C2928D8EECE6037025B4DA2995F13CB4
                                                  SHA-256:C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
                                                  SHA-512:E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
                                                  Malicious:false
                                                  Preview:.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\es-419.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):524728
                                                  Entropy (8bit):5.377464936206393
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:32A59B6D9C8CA99FBD77CAA2F586509A
                                                  SHA1:7E8356D940D4D4CC2E673460483656915AA59893
                                                  SHA-256:AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
                                                  SHA-512:860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
                                                  Malicious:false
                                                  Preview:........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\es.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):523181
                                                  Entropy (8bit):5.356449408331279
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:3D1720FE1D801D54420438A54CBE1547
                                                  SHA1:8B1B0735AE0E473858C59C54111697609831D65A
                                                  SHA-256:AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
                                                  SHA-512:C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
                                                  Malicious:false
                                                  Preview:........5$..e.`...h.h...i.p...j.|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z...........*.....f.....{...........o.................g...........+.....P.................8.....N.................".....1.................*.....@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\et.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):475733
                                                  Entropy (8bit):5.456553040437113
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:C00D66D3FD4FD9D777949E2F115F11FB
                                                  SHA1:A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
                                                  SHA-256:26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
                                                  SHA-512:E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
                                                  Malicious:false
                                                  Preview:........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\fa.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):773397
                                                  Entropy (8bit):5.04618630633187
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:C998140F7970B81117B073A87430A748
                                                  SHA1:8A6662C3AABDAC68083A4D00862205689008110C
                                                  SHA-256:182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
                                                  SHA-512:5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
                                                  Malicious:false
                                                  Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M*....p*.....*....n+.....+.....+....d,.....-....P-....x-

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\fi.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):483378
                                                  Entropy (8bit):5.428549632880935
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:1CFD31A6B740D95E4D5D53432743EBF1
                                                  SHA1:20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
                                                  SHA-256:F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
                                                  SHA-512:C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
                                                  Malicious:false
                                                  Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...|.b...}.t.....|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\fil.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):546749
                                                  Entropy (8bit):5.197094281578282
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:6EDA0CD3C7D513AAB9856EC504C7D16F
                                                  SHA1:BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
                                                  SHA-256:3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
                                                  SHA-512:47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
                                                  Malicious:false
                                                  Preview:.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\fr.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):568277
                                                  Entropy (8bit):5.380723339968972
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:D185162DF4CAC9DCE7D70926099D1CF1
                                                  SHA1:46594ADB3FC06A090675CA48FFA943E299874BBD
                                                  SHA-256:E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
                                                  SHA-512:987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
                                                  Malicious:false
                                                  Preview:.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\gu.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1103776
                                                  Entropy (8bit):4.336526106451521
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:44F704DB17F0203FA5195DC4572C946C
                                                  SHA1:205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
                                                  SHA-256:4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
                                                  SHA-512:3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
                                                  Malicious:false
                                                  Preview:........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\he.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):681555
                                                  Entropy (8bit):4.658620623200349
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:E75086A24ECAA25CD18D547AB041C65A
                                                  SHA1:C88CE46E6321E4A21032308DFD72C272FB267DBD
                                                  SHA-256:55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
                                                  SHA-512:01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
                                                  Malicious:false
                                                  Preview:.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\hi.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1167065
                                                  Entropy (8bit):4.308980564019689
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:1FF8A0B82218A956D2701A5E4BFA84EF
                                                  SHA1:56BB8218963E14ADCC435F2455891F3A0453D053
                                                  SHA-256:62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
                                                  SHA-512:3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
                                                  Malicious:false
                                                  Preview:.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y.....*.....}...........;...................................*.....[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6*.....*.....*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\hr.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):526575
                                                  Entropy (8bit):5.518614920030561
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:0BD2F9847C151F9A6FC0D59A0074770C
                                                  SHA1:EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
                                                  SHA-256:5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
                                                  SHA-512:0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
                                                  Malicious:false
                                                  Preview:........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\hu.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):566819
                                                  Entropy (8bit):5.6387082185760935
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:4C27A1C79AB9A058C0A7DFFD22134AFD
                                                  SHA1:5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
                                                  SHA-256:AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
                                                  SHA-512:0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
                                                  Malicious:false
                                                  Preview:.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.................*.................*...........".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\id.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):466959
                                                  Entropy (8bit):5.379636778781472
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:1466C484179769A2263542E943742E59
                                                  SHA1:18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
                                                  SHA-256:C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
                                                  SHA-512:ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
                                                  Malicious:false
                                                  Preview:........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....|.......................C.....b.....r...........1.....h.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\it.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):522800
                                                  Entropy (8bit):5.284113957149261
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:7767A70358D0AE6D408FF979DF9B2CD4
                                                  SHA1:9C57A5B068DC12AAF1591778DEF5D3696377EDAB
                                                  SHA-256:672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
                                                  SHA-512:913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
                                                  Malicious:false
                                                  Preview:........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2...........*.......................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x.................*.............................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\ja.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):634636
                                                  Entropy (8bit):5.718480148171718
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:4A4AF69546DCF65F2D722A574E221BEA
                                                  SHA1:EE51613F111CF5B06F5605B629952EFFE0350870
                                                  SHA-256:7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
                                                  SHA-512:0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
                                                  Malicious:false
                                                  Preview:........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U...........*.....d.....z....."...........*.....?...........X.................`.................@.................g............ ..... ..... .....

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\kn.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1256908
                                                  Entropy (8bit):4.247594585839553
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:6A41A5AB03A22BDAEC7985B9A75EC11A
                                                  SHA1:6BB02DF557BD6522E02FE026C0243BEB9332B2E5
                                                  SHA-256:E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
                                                  SHA-512:BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
                                                  Malicious:false
                                                  Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[.................................................................*.....u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N*.....*.....*.....,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\ko.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):532715
                                                  Entropy (8bit):6.0824169765918725
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:5FD9942F57FFC499481947DB0C3FDFA7
                                                  SHA1:4D60AB21305902877467FF6151C1B7AB12553AAE
                                                  SHA-256:09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
                                                  SHA-512:97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
                                                  Malicious:false
                                                  Preview:........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\lt.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):573015
                                                  Entropy (8bit):5.63016577624216
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:8745B87D09D9ECC1112C60F5DD934034
                                                  SHA1:2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
                                                  SHA-256:D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
                                                  SHA-512:27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
                                                  Malicious:false
                                                  Preview:........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\lv.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):570683
                                                  Entropy (8bit):5.624052036286866
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:E16B0B814074ACBD3A72AF677AC7BE84
                                                  SHA1:10744490B3E40BEB939B3FDCA411075A85A34794
                                                  SHA-256:46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
                                                  SHA-512:70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
                                                  Malicious:false
                                                  Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\ml.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1307271
                                                  Entropy (8bit):4.279854356980692
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:309E068B4E15157486D095301370B234
                                                  SHA1:D962CDAF9361767045A928966F4323EAD22D9B37
                                                  SHA-256:4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
                                                  SHA-512:6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
                                                  Malicious:false
                                                  Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................|............ ..... .....!.....!....*".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....).....*.....*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\mr.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1075591
                                                  Entropy (8bit):4.313573412022857
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:69C36C23D6D9841F4362FF3A0F86CFDF
                                                  SHA1:C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
                                                  SHA-256:6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
                                                  SHA-512:8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
                                                  Malicious:false
                                                  Preview:.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).....*....y*.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\ms.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):489457
                                                  Entropy (8bit):5.250540323172458
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:A1253E64F8910162B15B56883798E3C0
                                                  SHA1:68D402D94D2145704DC3760914BF616CC71FC65D
                                                  SHA-256:E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
                                                  SHA-512:ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
                                                  Malicious:false
                                                  Preview:........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\nb.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):476208
                                                  Entropy (8bit):5.4272499712806965
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:622ED80836E0EF3F949ED8A379CBE6DF
                                                  SHA1:9A94CD80E747B88582470EF49B7337B9E5DE6C28
                                                  SHA-256:560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
                                                  SHA-512:950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
                                                  Malicious:false
                                                  Preview:........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\nl.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):491139
                                                  Entropy (8bit):5.362822162782947
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:C8378A81039DB6943F97286CC8C629F1
                                                  SHA1:758D9AB331C394709F097361612C6D44BDE4E8FE
                                                  SHA-256:318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
                                                  SHA-512:6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
                                                  Malicious:false
                                                  Preview:.........$..e.*...h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................#.....*.....1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\pl.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):550453
                                                  Entropy (8bit):5.757462673735937
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:80C5893068C1D6CE9AEF23525ECAD83C
                                                  SHA1:A2A7ADEE70503771483A2500786BF0D707B3DF6B
                                                  SHA-256:0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
                                                  SHA-512:3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
                                                  Malicious:false
                                                  Preview:........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\pt-BR.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):516256
                                                  Entropy (8bit):5.426294949123783
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:3BA426E91C34E1C33F13912974835F7D
                                                  SHA1:467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
                                                  SHA-256:CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
                                                  SHA-512:824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
                                                  Malicious:false
                                                  Preview:........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\pt-PT.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):518861
                                                  Entropy (8bit):5.4029194034596575
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:4D7D724BE592BD0280ED28388EAA8D43
                                                  SHA1:8E3C46B77639EB480A90AD27383FBB14C4176960
                                                  SHA-256:4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
                                                  SHA-512:D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
                                                  Malicious:false
                                                  Preview:........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....|...........J.......

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\ro.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):537125
                                                  Entropy (8bit):5.4566742297332596
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:4F1C0A8632218F6FEF6BAB0917BEB84F
                                                  SHA1:05E497C8525CB1ADE6A0DAEFE09370EC45176E35
                                                  SHA-256:9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
                                                  SHA-512:A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
                                                  Malicious:false
                                                  Preview:........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\ru.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):878725
                                                  Entropy (8bit):4.848685093578222
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:3A3D0D865A78399306924D3ED058274E
                                                  SHA1:AA1A42DB6021666B2297A65094D29978792CE29B
                                                  SHA-256:EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
                                                  SHA-512:ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
                                                  Malicious:false
                                                  Preview:.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]*.....*.....+....$+.....+.....,.....-

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\sk.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):553886
                                                  Entropy (8bit):5.812150703289796
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:A9656846F66A36BB399B65F7B702B47D
                                                  SHA1:4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
                                                  SHA-256:02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
                                                  SHA-512:7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
                                                  Malicious:false
                                                  Preview:........5$..e.`...h.h...i.|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\sl.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):532410
                                                  Entropy (8bit):5.486224954097277
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:BE49BB186EF62F55E27FF6B5FD5933F4
                                                  SHA1:84CFD05C52A09B4E6FA62ADCAF71585538CF688E
                                                  SHA-256:833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
                                                  SHA-512:1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
                                                  Malicious:false
                                                  Preview:.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\sr.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):818089
                                                  Entropy (8bit):4.779985663253385
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:AFA2DFBA3BD71FE0307BFFB647CDCD98
                                                  SHA1:CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
                                                  SHA-256:1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
                                                  SHA-512:CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
                                                  Malicious:false
                                                  Preview:........=$|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\sv.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):479512
                                                  Entropy (8bit):5.541069475898216
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:09592A0D35100CD9707C278C9FFC7618
                                                  SHA1:B23EEF11D7521721A7D6742202209E4FE0539566
                                                  SHA-256:9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
                                                  SHA-512:E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
                                                  Malicious:false
                                                  Preview:.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.|...t.....v.....w.....y.....z.....|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\sw.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):504856
                                                  Entropy (8bit):5.34516819438501
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:9E038A0D222055FED6F1883992DCA5A8
                                                  SHA1:8FA17648492D7F093F89E8E98BF29C3725E3B4B5
                                                  SHA-256:DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
                                                  SHA-512:FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
                                                  Malicious:false
                                                  Preview:........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\ta.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1298313
                                                  Entropy (8bit):4.058495187693592
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:36104CB0D5E26E0BBB313E529C14F4B4
                                                  SHA1:69A509DEE8419DA719DCF6DE78BFE0A6737508C5
                                                  SHA-256:DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
                                                  SHA-512:D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
                                                  Malicious:false
                                                  Preview:.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4*.....*.....*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\te.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1199612
                                                  Entropy (8bit):4.314031920337284
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:98714389748A98ECC536CD2F17859BDF
                                                  SHA1:07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
                                                  SHA-256:8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
                                                  SHA-512:38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
                                                  Malicious:false
                                                  Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...|.]...}.o.....w.....|.......................................................................X...........J...........|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....*$....k$.....%.....&....6'.....'.....(.....).....*...._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\th.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1008989
                                                  Entropy (8bit):4.356501290091745
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:56F29DE3465795E781A52FCF736BBE08
                                                  SHA1:EAA406E5ED938468760A29D18C8C3F16CF142472
                                                  SHA-256:529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
                                                  SHA-512:519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
                                                  Malicious:false
                                                  Preview:........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....).....*.....*.....+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\tr.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):515329
                                                  Entropy (8bit):5.616482888977033
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:46CA9EE922C3C175DE466066F40B29CE
                                                  SHA1:5563E236A15CD9CC44AE859165DF1E4E722936C7
                                                  SHA-256:BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
                                                  SHA-512:45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
                                                  Malicious:false
                                                  Preview:........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...|.|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\uk.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):876131
                                                  Entropy (8bit):4.88404350774067
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:1365ABDD1EFB44720EA3975E4A472530
                                                  SHA1:8421FC4905C592EB1269C5D524AA46866D617D3C
                                                  SHA-256:29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
                                                  SHA-512:2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
                                                  Malicious:false
                                                  Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\ur.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):765853
                                                  Entropy (8bit):5.17061834928747
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:3FED15E64BEAFBA75DE61B08A45AE106
                                                  SHA1:E24953271D8C0254AD011D3A65B2C2FA57903681
                                                  SHA-256:B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
                                                  SHA-512:3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
                                                  Malicious:false
                                                  Preview:........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s.......................*.....p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3*.....*.....*....]+.....+.....,....F,.....,....z-.....-

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\vi.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):609259
                                                  Entropy (8bit):5.796202390024141
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:CD741C24AF7597E0DC11069D3AC324E0
                                                  SHA1:2A883DFBCF48D5093D70D4B77BBFFFA521287334
                                                  SHA-256:13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
                                                  SHA-512:6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
                                                  Malicious:false
                                                  Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.*...s.;...t.D...v.Y...w.f...y.l...z.{...|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._.................*.................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\zh-CN.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):441207
                                                  Entropy (8bit):6.685712707138377
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:99E6ACFB46923C4F8B29058E9EE6166B
                                                  SHA1:AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
                                                  SHA-256:9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
                                                  SHA-512:4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
                                                  Malicious:false
                                                  Preview:.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................|.......................x.

                                                  C:\Users\user\AppData\Roaming\Pinball\locales\zh-TW.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):439630
                                                  Entropy (8bit):6.6906570508767995
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:BB7C995F257B9125457381BB01856D72
                                                  SHA1:21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
                                                  SHA-256:F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
                                                  SHA-512:5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
                                                  Malicious:false
                                                  Preview:.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

                                                  C:\Users\user\AppData\Roaming\Pinball\log4net.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):275968
                                                  Entropy (8bit):5.778490068583466
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:7EA1429E71D83A1CCAA0942C4D7F1C41
                                                  SHA1:4CE6ACF4D735354B98F416B3D94D89AF0611E563
                                                  SHA-256:EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
                                                  SHA-512:91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>..*..?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}....*...0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4....*.........//........{....*"..}....*..{....*....0..4..........%...(5....-.~....r?..p(....+...}.......,..(6....*........')........{....*..{....*"..}....*.*..{....*"..}....*.0..........

                                                  C:\Users\user\AppData\Roaming\Pinball\log4net.xml

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1547797
                                                  Entropy (8bit):4.370092880615517
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:32AB4E0A9A82245EE3B474EF811F558F
                                                  SHA1:9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
                                                  SHA-256:9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
                                                  SHA-512:A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
                                                  Malicious:false
                                                  Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

                                                  C:\Users\user\AppData\Roaming\Pinball\natives_blob.bin

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):342741
                                                  Entropy (8bit):5.496697631795104
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:A58DB728B50E6B82CBDCAA0DB61D36B1
                                                  SHA1:7CD76526CB29A0FF5350A2B52D48D1886360458B
                                                  SHA-256:BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
                                                  SHA-512:0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
                                                  Malicious:false
                                                  Preview:..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

                                                  C:\Users\user\AppData\Roaming\Pinball\resources.pak

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8226870
                                                  Entropy (8bit):7.996842728494533
                                                  Encrypted:true
                                                  SSDEEP:
                                                  MD5:F7EC58AEA756F3FD8A055AC582103A78
                                                  SHA1:086B63691F5E5375A537E99E062345F56512A22C
                                                  SHA-256:517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
                                                  SHA-512:C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
                                                  Malicious:false
                                                  Preview:............f.6:..{..D..|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

                                                  C:\Users\user\AppData\Roaming\Pinball\snapshot_blob.bin

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):276319
                                                  Entropy (8bit):4.242318669799302
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:8234983533FA47D2A1D7710FF8274299
                                                  SHA1:E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
                                                  SHA-256:F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
                                                  SHA-512:1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
                                                  Malicious:false
                                                  Preview:.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\start.bat

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):4.056020968057882
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:3019A15BE1CF46C77F54C93A4C7241B8
                                                  SHA1:12C7AB93C3B11078D0C24D76B33BA78FBF48DD75
                                                  SHA-256:82225085DE984BD8DBB734C49FD2ECC2BCA334A24C8F40B2F15DF337056C3AA3
                                                  SHA-512:2EFC374262FEBB526B4CD18D7A31CEDCF0BF0866CC34AAAA8234421CF359D3CE571346EE8AFD5F6CE61DCECC50D8712DFFF3A553209DF480BE7F6E36A56BBC7F
                                                  Malicious:false
                                                  Preview:start Pinball.exe baYR1czR

                                                  C:\Users\user\AppData\Roaming\Pinball\swiftshader\Xilium.CefGlue.pdb

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:MSVC program database ver 7.00, 512*4023 bytes
                                                  Category:dropped
                                                  Size (bytes):2059776
                                                  Entropy (8bit):4.067542396670122
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:70F9EAEA8A2A604E59F72EDE66F83AB4
                                                  SHA1:0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
                                                  SHA-256:38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
                                                  SHA-512:47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
                                                  Malicious:false
                                                  Preview:Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\swiftshader\libEGL.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):346624
                                                  Entropy (8bit):6.54104466243173
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:7A53AD3E5D2E65C982450E7B7453DE8A
                                                  SHA1:99F27E54F1F61207C02110CAC476405557A8AD54
                                                  SHA-256:24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
                                                  SHA-512:2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\swiftshader\libGLESv2.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):2445312
                                                  Entropy (8bit):6.750207745422387
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:334C3157E63A34B22CCE25A44A04835F
                                                  SHA1:C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
                                                  SHA-256:3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
                                                  SHA-512:11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\v8_context_snapshot.bin

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):631017
                                                  Entropy (8bit):5.144793130466209
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:0794DF29DF8DFC3ECE5C443F864F5AEB
                                                  SHA1:BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
                                                  SHA-256:3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
                                                  SHA-512:0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
                                                  Malicious:false
                                                  Preview:..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):4400640
                                                  Entropy (8bit):6.667314807988382
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:7F913E31D00082338F073EF60D67B335
                                                  SHA1:AC831B45F2A32E23BA9046044508E47E04CDA3A4
                                                  SHA-256:B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
                                                  SHA-512:E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\vk_swiftshader_icd.json

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):106
                                                  Entropy (8bit):4.724752649036734
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                  SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                  SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                  SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                  Malicious:false
                                                  Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                  C:\Users\user\AppData\Roaming\Pinball\vulkan-1.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):826368
                                                  Entropy (8bit):6.78646032943732
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:A031EB19C61942A26EF74500AD4B42DF
                                                  SHA1:FDC6EA473234F153639E963E8EFB8D028DA1BE20
                                                  SHA-256:207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
                                                  SHA-512:80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Pinball\widevinecdmadapter.dll

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):211456
                                                  Entropy (8bit):6.566524833521835
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:6D7FD214164C858BBCF4AA050C114E8C
                                                  SHA1:B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
                                                  SHA-256:3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
                                                  SHA-512:0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                  Entropy (8bit):6.048083347709549
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:ZXQ3AcEN5Q.exe
                                                  File size:243'715 bytes
                                                  MD5:8ceb54209abb88fbc1c17fcb1035fb49
                                                  SHA1:f255dbe63698aa8d1dbfca2da9a794bf42556312
                                                  SHA256:3737e4e4ffbcc654013a2d52e25fb67092b36c5b80fb9b7e3a1b12ae0560d604
                                                  SHA512:bacef4eeb7c43bd51daad9d4378f0e0109c58e23cccb305e4625c35706278ded1bff63d255a16315a480e4c36f0d0528fddce53f2bc718fbc83bdb19c1abf6b4
                                                  SSDEEP:3072:rdwWsF1XDWLAlcqva7fvYnS4OVzX+nb2O1TJ4TVok7/y:rPs/7y7qAzOnbTJ4TVR7/y
                                                  TLSH:4534FE69D93B4810D4B099FD673363C01AED9D136B2DEA274291BE7269FDBC22E47103
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L...w.Oa.................h...|.......4............@

                                                  File Icon

                                                  Icon Hash:176dccb4cccc6907

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4034f1
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x614F9B77 [Sat Sep 25 21:58:15 2021 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f10e4da994053bf80c20cee985b32e29

                                                  Entrypoint Preview

                                                  Instruction
                                                  push ebp
                                                  mov ebp, esp
                                                  sub esp, 00000220h
                                                  push esi
                                                  push edi
                                                  xor edi, edi
                                                  push 00008001h
                                                  mov dword ptr [ebp-10h], edi
                                                  mov dword ptr [ebp-04h], 0040A130h
                                                  mov dword ptr [ebp-08h], edi
                                                  mov byte ptr [ebp-0Ch], 00000020h
                                                  call dword ptr [004080B0h]
                                                  mov esi, dword ptr [004080C0h]
                                                  lea eax, dword ptr [ebp-000000C0h]
                                                  push eax
                                                  mov dword ptr [ebp-000000ACh], edi
                                                  mov dword ptr [ebp-2Ch], edi
                                                  mov dword ptr [ebp-28h], edi
                                                  mov dword ptr [ebp-000000C0h], 0000009Ch
                                                  call esi
                                                  test eax, eax
                                                  jne 00007F0D94AFB3A1h
                                                  lea eax, dword ptr [ebp-000000C0h]
                                                  mov dword ptr [ebp-000000C0h], 00000094h
                                                  push eax
                                                  call esi
                                                  cmp dword ptr [ebp-000000B0h], 02h
                                                  jne 00007F0D94AFB38Ch
                                                  movsx cx, byte ptr [ebp-0000009Fh]
                                                  mov al, byte ptr [ebp-000000ACh]
                                                  sub ecx, 30h
                                                  sub al, 53h
                                                  mov byte ptr [ebp-26h], 00000004h
                                                  neg al
                                                  sbb eax, eax
                                                  not eax
                                                  and eax, ecx
                                                  mov word ptr [ebp-2Ch], ax
                                                  cmp dword ptr [ebp-000000B0h], 02h
                                                  jnc 00007F0D94AFB384h
                                                  and byte ptr [ebp-26h], 00000000h
                                                  cmp byte ptr [ebp-000000ABh], 00000041h
                                                  jl 00007F0D94AFB373h
                                                  movsx ax, byte ptr [ebp-000000ABh]
                                                  sub eax, 40h
                                                  mov word ptr [ebp-2Ch], ax
                                                  jmp 00007F0D94AFB366h
                                                  mov word ptr [ebp-2Ch], di
                                                  cmp dword ptr [ebp-000000BCh], 0Ah
                                                  jnc 00007F0D94AFB36Ah
                                                  and word ptr [ebp+00000000h], 0000h

                                                  Rich Headers

                                                  Programming Language:
                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x400000x2bc18.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x67100x6800ce5ea12d8928af396fab397be4d86e7bFalse0.6721379206730769data6.457647337216819IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x80000x13820x1400bc5ab97ffda7e39e35bf0c1f7a27854bFalse0.4630859375data5.260451498562911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0xa0000x255580x600a4d50f221ae2d23d0280180871dbcfc8False0.4680989583333333data4.219370823365332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .ndata0x300000x100000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x400000x2bc180x2be00526ac03e544c740fe8e3835db7eb43c0False0.22805377492877493data5.240181650722112IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x403100x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.10537678930557198
                                                  RT_ICON0x50b380x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.15818793357157873
                                                  RT_ICON0x59fe00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.18613678373382625
                                                  RT_ICON0x5f4680x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.17465753424657535
                                                  RT_ICON0x636900x38a6PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9899324231140533
                                                  RT_ICON0x66f380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.2408713692946058
                                                  RT_ICON0x694e00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.2718105065666041
                                                  RT_ICON0x6a5880x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.3737704918032787
                                                  RT_ICON0x6af100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                                                  RT_DIALOG0x6b3780x202dataEnglishUnited States0.4085603112840467
                                                  RT_DIALOG0x6b5800xf8dataEnglishUnited States0.6290322580645161
                                                  RT_DIALOG0x6b6780xeedataEnglishUnited States0.6302521008403361
                                                  RT_GROUP_ICON0x6b7680x84dataEnglishUnited States0.7348484848484849
                                                  RT_MANIFEST0x6b7f00x423XML 1.0 document, ASCII text, with very long lines (1059), with no line terminatorsEnglishUnited States0.5127478753541076

                                                  Imports

                                                  DLLImport
                                                  ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                  SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                  ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                  COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                  USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, SetWindowPos, SetCursor, GetSysColor, SetClassLongA, GetWindowLongA, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                  GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                  KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersionExA, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:11:14:47
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\Desktop\ZXQ3AcEN5Q.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"
                                                  Imagebase:0x400000
                                                  File size:243'715 bytes
                                                  MD5 hash:8CEB54209ABB88FBC1C17FCB1035FB49
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:11:16:10
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\setup.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\setup.exe"
                                                  Imagebase:0x7ff6068e0000
                                                  File size:107'288'450 bytes
                                                  MD5 hash:E4C96146FC1754DC1B99E96E0D7AEF91
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 3%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:11:16:35
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Imagebase:0xfe0000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 4%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:7
                                                  Start time:11:16:39
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=2976 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                                                  Imagebase:0xe10000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:11:16:39
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3552 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                  Imagebase:0x940000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:11:16:39
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --mojo-platform-channel-handle=3604 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                  Imagebase:0x140000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:11:16:40
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193665001 --mojo-platform-channel-handle=3208 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                  Imagebase:0x700000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:11:16:40
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.53 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\Pinball\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1716386806407295 --launch-time-ticks=4193778155 --mojo-platform-channel-handle=3812 --field-trial-handle=2972,i,18445309876717897179,3493451648587661161,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                  Imagebase:0x90000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:11:16:46
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x900000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:13
                                                  Start time:11:16:48
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0xfc0000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:14
                                                  Start time:11:16:48
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x5b0000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:15
                                                  Start time:11:16:48
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x850000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:16
                                                  Start time:11:16:49
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x400000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:17
                                                  Start time:11:16:49
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x6f0000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:18
                                                  Start time:11:16:49
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x9e0000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:19
                                                  Start time:11:16:49
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x860000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:20
                                                  Start time:11:16:50
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0xbb0000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:21
                                                  Start time:11:16:50
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0xbb0000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:22
                                                  Start time:11:16:50
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x830000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:23
                                                  Start time:11:16:50
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x600000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:24
                                                  Start time:11:16:50
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x7ff6a5670000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:25
                                                  Start time:11:16:51
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x4a0000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:26
                                                  Start time:11:16:51
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0xe20000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:27
                                                  Start time:11:16:51
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0xe90000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:28
                                                  Start time:11:16:51
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0xa20000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:29
                                                  Start time:11:16:51
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0xfe0000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:30
                                                  Start time:11:16:51
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x7ff6ef0c0000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:31
                                                  Start time:11:16:52
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x520000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:32
                                                  Start time:11:16:52
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x620000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:33
                                                  Start time:11:16:52
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x3e0000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:34
                                                  Start time:11:16:52
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x990000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:35
                                                  Start time:11:16:52
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x450000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:36
                                                  Start time:11:16:52
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x420000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:37
                                                  Start time:11:16:53
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0xd10000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:38
                                                  Start time:11:16:53
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0xf90000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:39
                                                  Start time:11:16:53
                                                  Start date:22/05/2024
                                                  Path:C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\Pinball\Pinball.exe"
                                                  Imagebase:0x460000
                                                  File size:296'448 bytes
                                                  MD5 hash:4B690D1CA31A2224A761AD9D8690C94D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:19.9%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:19.2%
                                                    Total number of Nodes:1413
                                                    Total number of Limit Nodes:42
                                                    execution_graph 3737 405442 3738 405452 3737->3738 3739 405466 3737->3739 3740 4054af 3738->3740 3741 405458 3738->3741 3742 40546e IsWindowVisible 3739->3742 3748 405485 3739->3748 3743 4054b4 CallWindowProcA 3740->3743 3744 404476 SendMessageA 3741->3744 3742->3740 3745 40547b 3742->3745 3746 405462 3743->3746 3744->3746 3750 404d7d SendMessageA 3745->3750 3748->3743 3755 404dfd 3748->3755 3751 404da0 GetMessagePos ScreenToClient SendMessageA 3750->3751 3752 404ddc SendMessageA 3750->3752 3753 404dd4 3751->3753 3754 404dd9 3751->3754 3752->3753 3753->3748 3754->3752 3764 4063ad lstrcpynA 3755->3764 3757 404e10 3765 40630b wsprintfA 3757->3765 3759 404e1a 3760 40140b 2 API calls 3759->3760 3761 404e23 3760->3761 3766 4063ad lstrcpynA 3761->3766 3763 404e2a 3763->3740 3764->3757 3765->3759 3766->3763 3767 401ec5 3768 402c17 17 API calls 3767->3768 3769 401ecb 3768->3769 3770 402c17 17 API calls 3769->3770 3771 401ed7 3770->3771 3772 401ee3 ShowWindow 3771->3772 3773 401eee EnableWindow 3771->3773 3774 402ac5 3772->3774 3773->3774 3237 401746 3238 402c39 17 API calls 3237->3238 3239 40174d 3238->3239 3243 405f6f 3239->3243 3241 401754 3242 405f6f 2 API calls 3241->3242 3242->3241 3244 405f7a GetTickCount GetTempFileNameA 3243->3244 3245 405fab 3244->3245 3246 405fa7 3244->3246 3245->3241 3246->3244 3246->3245 3775 401947 3776 402c39 17 API calls 3775->3776 3777 40194e lstrlenA 3776->3777 3778 402628 3777->3778 3782 401fcb 3783 402c39 17 API calls 3782->3783 3784 401fd2 3783->3784 3785 406724 2 API calls 3784->3785 3786 401fd8 3785->3786 3788 401fea 3786->3788 3789 40630b wsprintfA 3786->3789 3789->3788 3790 403b51 3791 403b5c 3790->3791 3792 403b63 GlobalAlloc 3791->3792 3793 403b60 3791->3793 3792->3793 3794 4014d6 3795 402c17 17 API calls 3794->3795 3796 4014dc Sleep 3795->3796 3798 402ac5 3796->3798 3612 401759 3613 402c39 17 API calls 3612->3613 3614 401760 3613->3614 3615 401786 3614->3615 3616 40177e 3614->3616 3652 4063ad lstrcpynA 3615->3652 3651 4063ad lstrcpynA 3616->3651 3619 401784 3623 40668b 5 API calls 3619->3623 3620 401791 3621 405d3f 3 API calls 3620->3621 3622 401797 lstrcatA 3621->3622 3622->3619 3628 4017a3 3623->3628 3624 406724 2 API calls 3624->3628 3625 405f1b 2 API calls 3625->3628 3627 4017ba CompareFileTime 3627->3628 3628->3624 3628->3625 3628->3627 3629 40187e 3628->3629 3634 4063ad lstrcpynA 3628->3634 3637 406440 17 API calls 3628->3637 3645 405ac3 MessageBoxIndirectA 3628->3645 3648 401855 3628->3648 3650 405f40 GetFileAttributesA CreateFileA 3628->3650 3630 4054ce 24 API calls 3629->3630 3632 401888 3630->3632 3631 4054ce 24 API calls 3649 40186a 3631->3649 3633 403222 40 API calls 3632->3633 3635 40189b 3633->3635 3634->3628 3636 4018af SetFileTime 3635->3636 3638 4018c1 FindCloseChangeNotification 3635->3638 3636->3638 3637->3628 3639 4018d2 3638->3639 3638->3649 3640 4018d7 3639->3640 3641 4018ea 3639->3641 3643 406440 17 API calls 3640->3643 3642 406440 17 API calls 3641->3642 3644 4018f2 3642->3644 3646 4018df lstrcatA 3643->3646 3647 405ac3 MessageBoxIndirectA 3644->3647 3645->3628 3646->3644 3647->3649 3648->3631 3648->3649 3650->3628 3651->3619 3652->3620 3799 401659 3800 402c39 17 API calls 3799->3800 3801 40165f 3800->3801 3802 406724 2 API calls 3801->3802 3803 401665 3802->3803 3804 401959 3805 402c17 17 API calls 3804->3805 3806 401960 3805->3806 3807 402c17 17 API calls 3806->3807 3808 40196d 3807->3808 3809 402c39 17 API calls 3808->3809 3810 401984 lstrlenA 3809->3810 3812 401994 3810->3812 3811 4019d4 3812->3811 3816 4063ad lstrcpynA 3812->3816 3814 4019c4 3814->3811 3815 4019c9 lstrlenA 3814->3815 3815->3811 3816->3814 3817 401a5e 3818 402c17 17 API calls 3817->3818 3819 401a67 3818->3819 3820 402c17 17 API calls 3819->3820 3821 401a0e 3820->3821 3822 404560 lstrcpynA lstrlenA 3823 401b63 3824 402c39 17 API calls 3823->3824 3825 401b6a 3824->3825 3826 402c17 17 API calls 3825->3826 3827 401b73 wsprintfA 3826->3827 3828 402ac5 3827->3828 3829 100013a4 3836 10001426 3829->3836 3837 100013d0 3836->3837 3838 1000142f 3836->3838 3841 100010d0 GetVersionExA 3837->3841 3838->3837 3839 1000145f GlobalFree 3838->3839 3840 1000144b lstrcpynA 3838->3840 3839->3837 3840->3839 3842 10001106 3841->3842 3855 100010fc 3841->3855 3843 10001122 LoadLibraryW 3842->3843 3844 1000110e 3842->3844 3846 1000113b GetProcAddress 3843->3846 3854 100011a5 3843->3854 3845 10001225 LoadLibraryA 3844->3845 3844->3855 3847 1000123d GetProcAddress GetProcAddress GetProcAddress 3845->3847 3845->3855 3848 1000118e 3846->3848 3849 1000114e LocalAlloc 3846->3849 3850 10001323 FreeLibrary 3847->3850 3864 1000126b 3847->3864 3851 1000119a FreeLibrary 3848->3851 3852 10001189 3849->3852 3850->3855 3851->3854 3852->3848 3853 1000115c NtQuerySystemInformation 3852->3853 3853->3851 3857 1000116f LocalFree 3853->3857 3854->3855 3856 100011c1 WideCharToMultiByte lstrcmpiA 3854->3856 3858 10001217 LocalFree 3854->3858 3860 100011f7 3854->3860 3867 100014ba wsprintfA 3855->3867 3856->3854 3857->3848 3859 10001180 LocalAlloc 3857->3859 3858->3855 3859->3852 3860->3854 3861 1000103f 8 API calls 3860->3861 3861->3860 3862 100012a2 lstrlenA 3862->3864 3863 1000131c CloseHandle 3863->3850 3864->3850 3864->3862 3864->3863 3865 100012c4 lstrcpynA lstrcmpiA 3864->3865 3866 1000103f 8 API calls 3864->3866 3865->3864 3866->3864 3870 10001475 3867->3870 3871 100013e3 3870->3871 3872 1000147e GlobalAlloc lstrcpynA 3870->3872 3872->3871 3873 401d65 3874 401d78 GetDlgItem 3873->3874 3875 401d6b 3873->3875 3877 401d72 3874->3877 3876 402c17 17 API calls 3875->3876 3876->3877 3878 401db9 GetClientRect LoadImageA SendMessageA 3877->3878 3880 402c39 17 API calls 3877->3880 3881 401e1a 3878->3881 3883 401e26 3878->3883 3880->3878 3882 401e1f DeleteObject 3881->3882 3881->3883 3882->3883 3247 10001426 3248 1000146f 3247->3248 3249 1000142f 3247->3249 3249->3248 3250 1000145f GlobalFree 3249->3250 3251 1000144b lstrcpynA 3249->3251 3250->3248 3251->3250 3884 402766 3885 40276c 3884->3885 3886 402774 FindClose 3885->3886 3887 402ac5 3885->3887 3886->3887 3888 4023e8 3889 402c39 17 API calls 3888->3889 3890 4023f9 3889->3890 3891 402c39 17 API calls 3890->3891 3892 402402 3891->3892 3893 402c39 17 API calls 3892->3893 3894 40240c GetPrivateProfileStringA 3893->3894 3895 4027e8 3896 402c39 17 API calls 3895->3896 3897 4027f4 3896->3897 3898 40280a 3897->3898 3899 402c39 17 API calls 3897->3899 3900 405f1b 2 API calls 3898->3900 3899->3898 3901 402810 3900->3901 3923 405f40 GetFileAttributesA CreateFileA 3901->3923 3903 40281d 3904 4028d9 3903->3904 3907 4028c1 3903->3907 3908 402838 GlobalAlloc 3903->3908 3905 4028e0 DeleteFileA 3904->3905 3906 4028f3 3904->3906 3905->3906 3910 403222 40 API calls 3907->3910 3908->3907 3909 402851 3908->3909 3924 4034a9 SetFilePointer 3909->3924 3912 4028ce CloseHandle 3910->3912 3912->3904 3913 402857 3914 403493 ReadFile 3913->3914 3915 402860 GlobalAlloc 3914->3915 3916 402870 3915->3916 3917 4028aa 3915->3917 3918 403222 40 API calls 3916->3918 3919 405fe7 WriteFile 3917->3919 3922 40287d 3918->3922 3920 4028b6 GlobalFree 3919->3920 3920->3907 3921 4028a1 GlobalFree 3921->3917 3922->3921 3923->3903 3924->3913 3925 40166a 3926 402c39 17 API calls 3925->3926 3927 401671 3926->3927 3928 402c39 17 API calls 3927->3928 3929 40167a 3928->3929 3930 402c39 17 API calls 3929->3930 3931 401683 MoveFileA 3930->3931 3932 401696 3931->3932 3933 40168f 3931->3933 3934 406724 2 API calls 3932->3934 3937 4022ea 3932->3937 3935 401423 24 API calls 3933->3935 3936 4016a5 3934->3936 3935->3937 3936->3937 3938 406186 36 API calls 3936->3938 3938->3933 3939 4019ed 3940 402c39 17 API calls 3939->3940 3941 4019f4 3940->3941 3942 402c39 17 API calls 3941->3942 3943 4019fd 3942->3943 3944 401a04 lstrcmpiA 3943->3944 3945 401a16 lstrcmpA 3943->3945 3946 401a0a 3944->3946 3945->3946 3295 4034f1 SetErrorMode GetVersionExA 3296 403543 GetVersionExA 3295->3296 3298 403582 3295->3298 3297 40355f 3296->3297 3296->3298 3297->3298 3299 403606 3298->3299 3300 4067b9 5 API calls 3298->3300 3387 40674b GetSystemDirectoryA 3299->3387 3300->3299 3302 40361c lstrlenA 3302->3299 3303 40362c 3302->3303 3390 4067b9 GetModuleHandleA 3303->3390 3306 4067b9 5 API calls 3307 40363a 3306->3307 3308 4067b9 5 API calls 3307->3308 3309 403646 #17 OleInitialize SHGetFileInfoA 3308->3309 3396 4063ad lstrcpynA 3309->3396 3312 403694 GetCommandLineA 3397 4063ad lstrcpynA 3312->3397 3314 4036a6 3315 405d6a CharNextA 3314->3315 3316 4036cd CharNextA 3315->3316 3318 4036dc 3316->3318 3317 4037a2 3319 4037b6 GetTempPathA 3317->3319 3318->3317 3318->3318 3322 405d6a CharNextA 3318->3322 3329 4037a4 3318->3329 3398 4034c0 3319->3398 3321 4037ce 3323 4037d2 GetWindowsDirectoryA lstrcatA 3321->3323 3324 403828 DeleteFileA 3321->3324 3322->3318 3326 4034c0 12 API calls 3323->3326 3408 402f5c GetTickCount GetModuleFileNameA 3324->3408 3328 4037ee 3326->3328 3327 40383b 3330 4038d3 ExitProcess OleUninitialize 3327->3330 3333 4038c0 3327->3333 3338 405d6a CharNextA 3327->3338 3328->3324 3332 4037f2 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3328->3332 3494 4063ad lstrcpynA 3329->3494 3334 4038ea 3330->3334 3335 403a0d 3330->3335 3336 4034c0 12 API calls 3332->3336 3437 403b93 3333->3437 3497 405ac3 3334->3497 3340 403a15 GetCurrentProcess OpenProcessToken 3335->3340 3341 403a8b ExitProcess 3335->3341 3342 403820 3336->3342 3344 403855 3338->3344 3347 403a5b 3340->3347 3348 403a2c LookupPrivilegeValueA AdjustTokenPrivileges 3340->3348 3342->3324 3342->3330 3351 40389a 3344->3351 3352 4038ff 3344->3352 3349 4067b9 5 API calls 3347->3349 3348->3347 3350 403a62 3349->3350 3353 403a77 ExitWindowsEx 3350->3353 3356 403a84 3350->3356 3355 405e2d 18 API calls 3351->3355 3501 405a2e 3352->3501 3353->3341 3353->3356 3358 4038a6 3355->3358 3517 40140b 3356->3517 3358->3330 3495 4063ad lstrcpynA 3358->3495 3360 403920 lstrcatA lstrcmpiA 3360->3330 3362 40393c 3360->3362 3361 403915 lstrcatA 3361->3360 3364 403941 3362->3364 3365 403948 3362->3365 3504 405994 CreateDirectoryA 3364->3504 3509 405a11 CreateDirectoryA 3365->3509 3366 4038b5 3496 4063ad lstrcpynA 3366->3496 3371 40394d SetCurrentDirectoryA 3372 403968 3371->3372 3373 40395d 3371->3373 3513 4063ad lstrcpynA 3372->3513 3512 4063ad lstrcpynA 3373->3512 3376 406440 17 API calls 3377 4039aa DeleteFileA 3376->3377 3378 4039b8 CopyFileA 3377->3378 3384 403975 3377->3384 3378->3384 3379 403a01 3381 406186 36 API calls 3379->3381 3380 406186 36 API calls 3380->3384 3382 403a08 3381->3382 3382->3330 3383 406440 17 API calls 3383->3384 3384->3376 3384->3379 3384->3380 3384->3383 3386 4039ec CloseHandle 3384->3386 3514 405a46 CreateProcessA 3384->3514 3386->3384 3388 40676d wsprintfA LoadLibraryExA 3387->3388 3388->3302 3391 4067d5 3390->3391 3392 4067df GetProcAddress 3390->3392 3393 40674b 3 API calls 3391->3393 3394 403633 3392->3394 3395 4067db 3393->3395 3394->3306 3395->3392 3395->3394 3396->3312 3397->3314 3399 40668b 5 API calls 3398->3399 3401 4034cc 3399->3401 3400 4034d6 3400->3321 3401->3400 3402 405d3f 3 API calls 3401->3402 3403 4034de 3402->3403 3404 405a11 2 API calls 3403->3404 3405 4034e4 3404->3405 3406 405f6f 2 API calls 3405->3406 3407 4034ef 3406->3407 3407->3321 3520 405f40 GetFileAttributesA CreateFileA 3408->3520 3410 402f9f 3435 402fac 3410->3435 3521 4063ad lstrcpynA 3410->3521 3412 402fc2 3413 405d86 2 API calls 3412->3413 3414 402fc8 3413->3414 3522 4063ad lstrcpynA 3414->3522 3416 402fd3 GetFileSize 3417 4030d2 3416->3417 3436 402fea 3416->3436 3523 402ebd 3417->3523 3421 403115 GlobalAlloc 3424 405f6f 2 API calls 3421->3424 3422 403191 3425 402ebd 32 API calls 3422->3425 3427 403161 CreateFileA 3424->3427 3425->3435 3426 4030f6 3428 403493 ReadFile 3426->3428 3430 40319b 3427->3430 3427->3435 3431 403101 3428->3431 3429 402ebd 32 API calls 3429->3436 3538 4034a9 SetFilePointer 3430->3538 3431->3421 3431->3435 3433 4031a9 3539 403222 3433->3539 3435->3327 3436->3417 3436->3422 3436->3429 3436->3435 3554 403493 3436->3554 3438 4067b9 5 API calls 3437->3438 3439 403ba7 3438->3439 3440 403bad 3439->3440 3441 403bbf 3439->3441 3586 40630b wsprintfA 3440->3586 3442 406294 3 API calls 3441->3442 3443 403bea 3442->3443 3445 403c08 lstrcatA 3443->3445 3447 406294 3 API calls 3443->3447 3446 403bbd 3445->3446 3578 403e58 3446->3578 3447->3445 3450 405e2d 18 API calls 3451 403c3a 3450->3451 3452 403cc3 3451->3452 3455 406294 3 API calls 3451->3455 3453 405e2d 18 API calls 3452->3453 3454 403cc9 3453->3454 3457 403cd9 LoadImageA 3454->3457 3458 406440 17 API calls 3454->3458 3456 403c66 3455->3456 3456->3452 3461 403c82 lstrlenA 3456->3461 3464 405d6a CharNextA 3456->3464 3459 403d00 RegisterClassA 3457->3459 3460 403d7f 3457->3460 3458->3457 3462 403d36 SystemParametersInfoA CreateWindowExA 3459->3462 3470 4038d0 3459->3470 3463 40140b 2 API calls 3460->3463 3465 403c90 lstrcmpiA 3461->3465 3466 403cb6 3461->3466 3462->3460 3467 403d85 3463->3467 3468 403c80 3464->3468 3465->3466 3469 403ca0 GetFileAttributesA 3465->3469 3471 405d3f 3 API calls 3466->3471 3467->3470 3473 403e58 18 API calls 3467->3473 3468->3461 3472 403cac 3469->3472 3470->3330 3474 403cbc 3471->3474 3472->3466 3475 405d86 2 API calls 3472->3475 3476 403d96 3473->3476 3587 4063ad lstrcpynA 3474->3587 3475->3466 3478 403da2 ShowWindow 3476->3478 3479 403e25 3476->3479 3481 40674b 3 API calls 3478->3481 3588 4055a0 OleInitialize 3479->3588 3482 403dba 3481->3482 3484 403dc8 GetClassInfoA 3482->3484 3487 40674b 3 API calls 3482->3487 3483 403e2b 3485 403e47 3483->3485 3486 403e2f 3483->3486 3489 403df2 DialogBoxParamA 3484->3489 3490 403ddc GetClassInfoA RegisterClassA 3484->3490 3488 40140b 2 API calls 3485->3488 3486->3470 3492 40140b 2 API calls 3486->3492 3487->3484 3488->3470 3491 40140b 2 API calls 3489->3491 3490->3489 3493 403e1a 3491->3493 3492->3470 3493->3470 3494->3319 3495->3366 3496->3333 3498 405ad8 3497->3498 3499 4038f7 ExitProcess 3498->3499 3500 405aec MessageBoxIndirectA 3498->3500 3500->3499 3502 4067b9 5 API calls 3501->3502 3503 403904 lstrcatA 3502->3503 3503->3360 3503->3361 3505 403946 3504->3505 3506 4059e5 GetLastError 3504->3506 3505->3371 3506->3505 3507 4059f4 SetFileSecurityA 3506->3507 3507->3505 3508 405a0a GetLastError 3507->3508 3508->3505 3510 405a21 3509->3510 3511 405a25 GetLastError 3509->3511 3510->3371 3511->3510 3512->3372 3513->3384 3515 405a85 3514->3515 3516 405a79 CloseHandle 3514->3516 3515->3384 3516->3515 3518 401389 2 API calls 3517->3518 3519 401420 3518->3519 3519->3341 3520->3410 3521->3412 3522->3416 3524 402ee3 3523->3524 3525 402ecb 3523->3525 3527 402ef3 GetTickCount 3524->3527 3528 402eeb 3524->3528 3526 402ed4 DestroyWindow 3525->3526 3529 402edb 3525->3529 3526->3529 3527->3529 3531 402f01 3527->3531 3558 4067f5 3528->3558 3529->3421 3529->3435 3557 4034a9 SetFilePointer 3529->3557 3532 402f36 CreateDialogParamA ShowWindow 3531->3532 3533 402f09 3531->3533 3532->3529 3533->3529 3562 402ea1 3533->3562 3535 402f17 wsprintfA 3536 4054ce 24 API calls 3535->3536 3537 402f34 3536->3537 3537->3529 3538->3433 3540 403231 SetFilePointer 3539->3540 3541 40324d 3539->3541 3540->3541 3565 40332a GetTickCount 3541->3565 3544 4032ea 3544->3435 3545 405fb8 ReadFile 3546 40326d 3545->3546 3546->3544 3547 40332a 38 API calls 3546->3547 3548 403284 3547->3548 3548->3544 3549 4032f0 ReadFile 3548->3549 3551 403293 3548->3551 3549->3544 3551->3544 3552 405fb8 ReadFile 3551->3552 3553 405fe7 WriteFile 3551->3553 3552->3551 3553->3551 3555 405fb8 ReadFile 3554->3555 3556 4034a6 3555->3556 3556->3436 3557->3426 3559 406812 PeekMessageA 3558->3559 3560 406822 3559->3560 3561 406808 DispatchMessageA 3559->3561 3560->3529 3561->3559 3563 402eb0 3562->3563 3564 402eb2 MulDiv 3562->3564 3563->3564 3564->3535 3566 403482 3565->3566 3567 403358 3565->3567 3568 402ebd 32 API calls 3566->3568 3577 4034a9 SetFilePointer 3567->3577 3575 403254 3568->3575 3570 403363 SetFilePointer 3573 403388 3570->3573 3571 403493 ReadFile 3571->3573 3572 402ebd 32 API calls 3572->3573 3573->3571 3573->3572 3574 405fe7 WriteFile 3573->3574 3573->3575 3576 403463 SetFilePointer 3573->3576 3574->3573 3575->3544 3575->3545 3576->3566 3577->3570 3579 403e6c 3578->3579 3595 40630b wsprintfA 3579->3595 3581 403edd 3596 403f11 3581->3596 3583 403c18 3583->3450 3584 403ee2 3584->3583 3585 406440 17 API calls 3584->3585 3585->3584 3586->3446 3587->3452 3599 404476 3588->3599 3590 4055c3 3594 4055ea 3590->3594 3602 401389 3590->3602 3591 404476 SendMessageA 3592 4055fc OleUninitialize 3591->3592 3592->3483 3594->3591 3595->3581 3597 406440 17 API calls 3596->3597 3598 403f1f SetWindowTextA 3597->3598 3598->3584 3600 40448e 3599->3600 3601 40447f SendMessageA 3599->3601 3600->3590 3601->3600 3604 401390 3602->3604 3603 4013fe 3603->3590 3604->3603 3605 4013cb MulDiv SendMessageA 3604->3605 3605->3604 3947 402173 3948 402c39 17 API calls 3947->3948 3949 40217a 3948->3949 3950 402c39 17 API calls 3949->3950 3951 402184 3950->3951 3952 402c39 17 API calls 3951->3952 3953 40218e 3952->3953 3954 402c39 17 API calls 3953->3954 3955 40219b 3954->3955 3956 402c39 17 API calls 3955->3956 3957 4021a5 3956->3957 3958 4021e7 CoCreateInstance 3957->3958 3959 402c39 17 API calls 3957->3959 3962 402206 3958->3962 3964 4022b4 3958->3964 3959->3958 3960 401423 24 API calls 3961 4022ea 3960->3961 3963 402294 MultiByteToWideChar 3962->3963 3962->3964 3963->3964 3964->3960 3964->3961 3965 4022f3 3966 402c39 17 API calls 3965->3966 3967 4022f9 3966->3967 3968 402c39 17 API calls 3967->3968 3969 402302 3968->3969 3970 402c39 17 API calls 3969->3970 3971 40230b 3970->3971 3972 406724 2 API calls 3971->3972 3973 402314 3972->3973 3974 402325 lstrlenA lstrlenA 3973->3974 3975 402318 3973->3975 3977 4054ce 24 API calls 3974->3977 3976 4054ce 24 API calls 3975->3976 3979 402320 3975->3979 3976->3979 3978 402361 SHFileOperationA 3977->3978 3978->3975 3978->3979 3980 4014f4 SetForegroundWindow 3981 402ac5 3980->3981 3982 404875 3983 404885 3982->3983 3984 4048ab 3982->3984 3989 40442a 3983->3989 3992 404491 3984->3992 3987 404892 SetDlgItemTextA 3987->3984 3990 406440 17 API calls 3989->3990 3991 404435 SetDlgItemTextA 3990->3991 3991->3987 3993 404554 3992->3993 3994 4044a9 GetWindowLongA 3992->3994 3994->3993 3995 4044be 3994->3995 3995->3993 3996 4044eb GetSysColor 3995->3996 3997 4044ee 3995->3997 3996->3997 3998 4044f4 SetTextColor 3997->3998 3999 4044fe SetBkMode 3997->3999 3998->3999 4000 404516 GetSysColor 3999->4000 4001 40451c 3999->4001 4000->4001 4002 404523 SetBkColor 4001->4002 4003 40452d 4001->4003 4002->4003 4003->3993 4004 404540 DeleteObject 4003->4004 4005 404547 CreateBrushIndirect 4003->4005 4004->4005 4005->3993 4006 402375 4007 40237c 4006->4007 4010 40238f 4006->4010 4008 406440 17 API calls 4007->4008 4009 402389 4008->4009 4011 405ac3 MessageBoxIndirectA 4009->4011 4011->4010 4012 402675 4013 402c17 17 API calls 4012->4013 4018 40267f 4013->4018 4014 4026ed 4015 405fb8 ReadFile 4015->4018 4016 4026ef 4021 40630b wsprintfA 4016->4021 4018->4014 4018->4015 4018->4016 4019 4026ff 4018->4019 4019->4014 4020 402715 SetFilePointer 4019->4020 4020->4014 4021->4014 4022 4029f6 4023 402a49 4022->4023 4024 4029fd 4022->4024 4025 4067b9 5 API calls 4023->4025 4026 402c17 17 API calls 4024->4026 4029 402a47 4024->4029 4027 402a50 4025->4027 4028 402a0b 4026->4028 4030 402c39 17 API calls 4027->4030 4031 402c17 17 API calls 4028->4031 4032 402a59 4030->4032 4034 402a1a 4031->4034 4032->4029 4040 406400 4032->4040 4039 40630b wsprintfA 4034->4039 4036 402a67 4036->4029 4044 4063ea 4036->4044 4039->4029 4041 40640b 4040->4041 4042 40642e IIDFromString 4041->4042 4043 406427 4041->4043 4042->4036 4043->4036 4047 4063cf WideCharToMultiByte 4044->4047 4046 402a88 CoTaskMemFree 4046->4029 4047->4046 4048 401ef9 4049 402c39 17 API calls 4048->4049 4050 401eff 4049->4050 4051 402c39 17 API calls 4050->4051 4052 401f08 4051->4052 4053 402c39 17 API calls 4052->4053 4054 401f11 4053->4054 4055 402c39 17 API calls 4054->4055 4056 401f1a 4055->4056 4057 401423 24 API calls 4056->4057 4058 401f21 4057->4058 4065 405a89 ShellExecuteExA 4058->4065 4060 401f5c 4061 40682e 5 API calls 4060->4061 4062 4027c8 4060->4062 4063 401f76 FindCloseChangeNotification 4061->4063 4063->4062 4065->4060 3653 401f7b 3654 402c39 17 API calls 3653->3654 3655 401f81 3654->3655 3656 4054ce 24 API calls 3655->3656 3657 401f8b 3656->3657 3658 405a46 2 API calls 3657->3658 3659 401f91 3658->3659 3660 4027c8 3659->3660 3661 401fb2 FindCloseChangeNotification 3659->3661 3666 40682e WaitForSingleObject 3659->3666 3661->3660 3664 401fa6 3664->3661 3671 40630b wsprintfA 3664->3671 3667 406848 3666->3667 3668 40685a GetExitCodeProcess 3667->3668 3669 4067f5 2 API calls 3667->3669 3668->3664 3670 40684f WaitForSingleObject 3669->3670 3670->3667 3671->3661 4066 401ffb 4067 402c39 17 API calls 4066->4067 4068 402002 4067->4068 4069 4067b9 5 API calls 4068->4069 4070 402011 4069->4070 4071 402099 4070->4071 4072 402029 GlobalAlloc 4070->4072 4072->4071 4073 40203d 4072->4073 4074 4067b9 5 API calls 4073->4074 4075 402044 4074->4075 4076 4067b9 5 API calls 4075->4076 4077 40204e 4076->4077 4077->4071 4081 40630b wsprintfA 4077->4081 4079 402089 4082 40630b wsprintfA 4079->4082 4081->4079 4082->4071 4083 4018fd 4084 401934 4083->4084 4085 402c39 17 API calls 4084->4085 4086 401939 4085->4086 4087 405b6f 67 API calls 4086->4087 4088 401942 4087->4088 3692 40247e 3693 402c39 17 API calls 3692->3693 3694 402490 3693->3694 3695 402c39 17 API calls 3694->3695 3696 40249a 3695->3696 3709 402cc9 3696->3709 3699 402ac5 3700 4024cf 3702 4024db 3700->3702 3713 402c17 3700->3713 3701 402c39 17 API calls 3703 4024c8 lstrlenA 3701->3703 3705 4024fd RegSetValueExA 3702->3705 3706 403222 40 API calls 3702->3706 3703->3700 3707 402513 RegCloseKey 3705->3707 3706->3705 3707->3699 3710 402ce4 3709->3710 3716 406261 3710->3716 3714 406440 17 API calls 3713->3714 3715 402c2c 3714->3715 3715->3702 3717 406270 3716->3717 3718 4024aa 3717->3718 3719 40627b RegCreateKeyExA 3717->3719 3718->3699 3718->3700 3718->3701 3719->3718 4089 401cfe 4090 402c17 17 API calls 4089->4090 4091 401d04 IsWindow 4090->4091 4092 401a0e 4091->4092 4093 401000 4094 401037 BeginPaint GetClientRect 4093->4094 4095 40100c DefWindowProcA 4093->4095 4097 4010f3 4094->4097 4098 401179 4095->4098 4099 401073 CreateBrushIndirect FillRect DeleteObject 4097->4099 4100 4010fc 4097->4100 4099->4097 4101 401102 CreateFontIndirectA 4100->4101 4102 401167 EndPaint 4100->4102 4101->4102 4103 401112 6 API calls 4101->4103 4102->4098 4103->4102 4104 401900 4105 402c39 17 API calls 4104->4105 4106 401907 4105->4106 4107 405ac3 MessageBoxIndirectA 4106->4107 4108 401910 4107->4108 4109 402780 4110 402786 4109->4110 4111 40278a FindNextFileA 4110->4111 4113 40279c 4110->4113 4112 4027db 4111->4112 4111->4113 4115 4063ad lstrcpynA 4112->4115 4115->4113 4116 401502 4117 40151d 4116->4117 4118 40150a 4116->4118 4119 402c17 17 API calls 4118->4119 4119->4117 4120 401b87 4121 401b94 4120->4121 4122 401bd8 4120->4122 4128 401c1c 4121->4128 4130 401bab 4121->4130 4123 401c01 GlobalAlloc 4122->4123 4124 401bdc 4122->4124 4125 406440 17 API calls 4123->4125 4135 40238f 4124->4135 4141 4063ad lstrcpynA 4124->4141 4125->4128 4126 406440 17 API calls 4129 402389 4126->4129 4128->4126 4128->4135 4133 405ac3 MessageBoxIndirectA 4129->4133 4139 4063ad lstrcpynA 4130->4139 4131 401bee GlobalFree 4131->4135 4133->4135 4134 401bba 4140 4063ad lstrcpynA 4134->4140 4137 401bc9 4142 4063ad lstrcpynA 4137->4142 4139->4134 4140->4137 4141->4131 4142->4135 3252 401389 3254 401390 3252->3254 3253 4013fe 3254->3253 3255 4013cb MulDiv SendMessageA 3254->3255 3255->3254 4143 40298a 4144 402c17 17 API calls 4143->4144 4145 402990 4144->4145 4146 4027c8 4145->4146 4147 406440 17 API calls 4145->4147 4147->4146 4148 40560c 4149 4057b7 4148->4149 4150 40562e GetDlgItem GetDlgItem GetDlgItem 4148->4150 4152 4057bf GetDlgItem CreateThread CloseHandle 4149->4152 4153 4057e7 4149->4153 4193 40445f SendMessageA 4150->4193 4152->4153 4155 405815 4153->4155 4157 405836 4153->4157 4158 4057fd ShowWindow ShowWindow 4153->4158 4154 405870 4154->4157 4170 40587d SendMessageA 4154->4170 4155->4154 4159 405825 4155->4159 4160 405849 ShowWindow 4155->4160 4156 40569e 4162 4056a5 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4156->4162 4161 404491 8 API calls 4157->4161 4195 40445f SendMessageA 4158->4195 4196 404403 4159->4196 4166 405869 4160->4166 4167 40585b 4160->4167 4165 405842 4161->4165 4168 405713 4162->4168 4169 4056f7 SendMessageA SendMessageA 4162->4169 4172 404403 SendMessageA 4166->4172 4171 4054ce 24 API calls 4167->4171 4173 405726 4168->4173 4174 405718 SendMessageA 4168->4174 4169->4168 4170->4165 4175 405896 CreatePopupMenu 4170->4175 4171->4166 4172->4154 4176 40442a 18 API calls 4173->4176 4174->4173 4177 406440 17 API calls 4175->4177 4179 405736 4176->4179 4178 4058a6 AppendMenuA 4177->4178 4180 4058c4 GetWindowRect 4178->4180 4181 4058d7 TrackPopupMenu 4178->4181 4182 405773 GetDlgItem SendMessageA 4179->4182 4183 40573f ShowWindow 4179->4183 4180->4181 4181->4165 4184 4058f3 4181->4184 4182->4165 4187 40579a SendMessageA SendMessageA 4182->4187 4185 405762 4183->4185 4186 405755 ShowWindow 4183->4186 4188 405912 SendMessageA 4184->4188 4194 40445f SendMessageA 4185->4194 4186->4185 4187->4165 4188->4188 4189 40592f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4188->4189 4191 405951 SendMessageA 4189->4191 4191->4191 4192 405973 GlobalUnlock SetClipboardData CloseClipboard 4191->4192 4192->4165 4193->4156 4194->4182 4195->4155 4197 404410 SendMessageA 4196->4197 4198 40440a 4196->4198 4197->4157 4198->4197 4199 40260c 4200 402c39 17 API calls 4199->4200 4201 402613 4200->4201 4204 405f40 GetFileAttributesA CreateFileA 4201->4204 4203 40261f 4204->4203 4205 404c0d 4206 404c39 4205->4206 4207 404c1d 4205->4207 4209 404c6c 4206->4209 4210 404c3f SHGetPathFromIDListA 4206->4210 4216 405aa7 GetDlgItemTextA 4207->4216 4212 404c4f 4210->4212 4215 404c56 SendMessageA 4210->4215 4211 404c2a SendMessageA 4211->4206 4213 40140b 2 API calls 4212->4213 4213->4215 4215->4209 4216->4211 3256 100010d0 GetVersionExA 3257 10001106 3256->3257 3270 100010fc 3256->3270 3258 10001122 LoadLibraryW 3257->3258 3259 1000110e 3257->3259 3261 1000113b GetProcAddress 3258->3261 3269 100011a5 3258->3269 3260 10001225 LoadLibraryA 3259->3260 3259->3270 3262 1000123d GetProcAddress GetProcAddress GetProcAddress 3260->3262 3260->3270 3263 1000118e 3261->3263 3264 1000114e LocalAlloc 3261->3264 3265 10001323 FreeLibrary 3262->3265 3279 1000126b 3262->3279 3266 1000119a FreeLibrary 3263->3266 3267 10001189 3264->3267 3265->3270 3266->3269 3267->3263 3268 1000115c NtQuerySystemInformation 3267->3268 3268->3266 3272 1000116f LocalFree 3268->3272 3269->3270 3271 100011c1 WideCharToMultiByte lstrcmpiA 3269->3271 3273 10001217 LocalFree 3269->3273 3275 100011f7 3269->3275 3271->3269 3272->3263 3274 10001180 LocalAlloc 3272->3274 3273->3270 3274->3267 3275->3269 3282 1000103f OpenProcess 3275->3282 3277 100012a2 lstrlenA 3277->3279 3278 1000131c CloseHandle 3278->3265 3279->3265 3279->3277 3279->3278 3280 100012c4 lstrcpynA lstrcmpiA 3279->3280 3281 1000103f 8 API calls 3279->3281 3280->3279 3281->3279 3283 10001060 3282->3283 3284 100010cb 3282->3284 3285 1000106b EnumWindows 3283->3285 3286 100010ac TerminateProcess 3283->3286 3284->3275 3285->3286 3287 1000107f GetExitCodeProcess 3285->3287 3292 10001007 GetWindowThreadProcessId 3285->3292 3288 100010a7 3286->3288 3289 100010be CloseHandle 3286->3289 3287->3288 3290 1000108e 3287->3290 3288->3289 3289->3284 3290->3288 3291 10001097 WaitForSingleObject 3290->3291 3291->3286 3291->3288 3293 10001024 PostMessageA 3292->3293 3294 10001036 3292->3294 3293->3294 4217 401490 4218 4054ce 24 API calls 4217->4218 4219 401497 4218->4219 4220 402590 4221 402c79 17 API calls 4220->4221 4222 40259a 4221->4222 4223 402c17 17 API calls 4222->4223 4224 4025a3 4223->4224 4225 4025ca RegEnumValueA 4224->4225 4226 4025be RegEnumKeyA 4224->4226 4227 4027c8 4224->4227 4228 4025df RegCloseKey 4225->4228 4226->4228 4228->4227 4230 404595 4231 4045ab 4230->4231 4235 4046b7 4230->4235 4233 40442a 18 API calls 4231->4233 4232 404726 4234 404730 GetDlgItem 4232->4234 4237 4047f0 4232->4237 4236 404601 4233->4236 4238 404746 4234->4238 4239 4047ae 4234->4239 4235->4232 4235->4237 4240 4046fb GetDlgItem SendMessageA 4235->4240 4241 40442a 18 API calls 4236->4241 4242 404491 8 API calls 4237->4242 4238->4239 4247 40476c SendMessageA LoadCursorA SetCursor 4238->4247 4239->4237 4243 4047c0 4239->4243 4263 40444c EnableWindow 4240->4263 4245 40460e CheckDlgButton 4241->4245 4246 4047eb 4242->4246 4248 4047c6 SendMessageA 4243->4248 4249 4047d7 4243->4249 4261 40444c EnableWindow 4245->4261 4267 404839 4247->4267 4248->4249 4249->4246 4253 4047dd SendMessageA 4249->4253 4250 404721 4264 404815 4250->4264 4253->4246 4255 40462c GetDlgItem 4262 40445f SendMessageA 4255->4262 4258 404642 SendMessageA 4259 404660 GetSysColor 4258->4259 4260 404669 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4258->4260 4259->4260 4260->4246 4261->4255 4262->4258 4263->4250 4265 404823 4264->4265 4266 404828 SendMessageA 4264->4266 4265->4266 4266->4232 4270 405a89 ShellExecuteExA 4267->4270 4269 40479f LoadCursorA SetCursor 4269->4239 4270->4269 4271 40149d 4272 4014ab PostQuitMessage 4271->4272 4273 40238f 4271->4273 4272->4273 4274 40159d 4275 402c39 17 API calls 4274->4275 4276 4015a4 SetFileAttributesA 4275->4276 4277 4015b6 4276->4277 3720 40251e 3731 402c79 3720->3731 3723 402c39 17 API calls 3724 402531 3723->3724 3725 40253b RegQueryValueExA 3724->3725 3730 4027c8 3724->3730 3726 402561 RegCloseKey 3725->3726 3727 40255b 3725->3727 3726->3730 3727->3726 3736 40630b wsprintfA 3727->3736 3732 402c39 17 API calls 3731->3732 3733 402c90 3732->3733 3734 406233 RegOpenKeyExA 3733->3734 3735 402528 3734->3735 3735->3723 3736->3726 4278 401a1e 4279 402c39 17 API calls 4278->4279 4280 401a27 ExpandEnvironmentStringsA 4279->4280 4281 401a3b 4280->4281 4283 401a4e 4280->4283 4282 401a40 lstrcmpA 4281->4282 4281->4283 4282->4283 4289 40171f 4290 402c39 17 API calls 4289->4290 4291 401726 SearchPathA 4290->4291 4292 401741 4291->4292 4293 401d1f 4294 402c17 17 API calls 4293->4294 4295 401d26 4294->4295 4296 402c17 17 API calls 4295->4296 4297 401d32 GetDlgItem 4296->4297 4298 402628 4297->4298 4299 402aa0 SendMessageA 4300 402ac5 4299->4300 4301 402aba InvalidateRect 4299->4301 4301->4300 3020 403aa1 3021 403ab2 CloseHandle 3020->3021 3022 403abc 3020->3022 3021->3022 3023 403ad0 3022->3023 3024 403ac6 CloseHandle 3022->3024 3029 403afe 3023->3029 3024->3023 3030 403b0c 3029->3030 3031 403ad5 3030->3031 3032 403b11 FreeLibrary GlobalFree 3030->3032 3033 405b6f 3031->3033 3032->3031 3032->3032 3070 405e2d 3033->3070 3036 405b97 DeleteFileA 3065 403ae1 3036->3065 3037 405bae 3042 405cdc 3037->3042 3084 4063ad lstrcpynA 3037->3084 3039 405bd4 3040 405be7 3039->3040 3041 405bda lstrcatA 3039->3041 3089 405d86 lstrlenA 3040->3089 3046 405bed 3041->3046 3042->3065 3118 406724 FindFirstFileA 3042->3118 3047 405bfb lstrcatA 3046->3047 3048 405c06 lstrlenA FindFirstFileA 3046->3048 3047->3048 3048->3042 3068 405c2a 3048->3068 3052 405b27 5 API calls 3053 405d16 3052->3053 3054 405d30 3053->3054 3055 405d1a 3053->3055 3058 4054ce 24 API calls 3054->3058 3060 4054ce 24 API calls 3055->3060 3055->3065 3056 405cbb FindNextFileA 3059 405cd3 FindClose 3056->3059 3056->3068 3058->3065 3059->3042 3061 405d27 3060->3061 3062 406186 36 API calls 3061->3062 3062->3065 3064 405b6f 60 API calls 3064->3068 3066 4054ce 24 API calls 3066->3056 3068->3056 3068->3064 3068->3066 3085 405d6a 3068->3085 3093 4063ad lstrcpynA 3068->3093 3094 405b27 3068->3094 3102 4054ce 3068->3102 3113 406186 MoveFileExA 3068->3113 3124 4063ad lstrcpynA 3070->3124 3072 405e3e 3125 405dd8 CharNextA CharNextA 3072->3125 3075 405b8f 3075->3036 3075->3037 3077 405e7f lstrlenA 3078 405e8a 3077->3078 3082 405e54 3077->3082 3079 405d3f 3 API calls 3078->3079 3081 405e8f GetFileAttributesA 3079->3081 3080 406724 2 API calls 3080->3082 3081->3075 3082->3075 3082->3077 3082->3080 3083 405d86 2 API calls 3082->3083 3083->3077 3084->3039 3086 405d70 3085->3086 3087 405d83 3086->3087 3088 405d76 CharNextA 3086->3088 3087->3068 3088->3086 3090 405d93 3089->3090 3091 405da4 3090->3091 3092 405d98 CharPrevA 3090->3092 3091->3046 3092->3090 3092->3091 3093->3068 3140 405f1b GetFileAttributesA 3094->3140 3097 405b42 RemoveDirectoryA 3099 405b50 3097->3099 3098 405b4a DeleteFileA 3098->3099 3100 405b54 3099->3100 3101 405b60 SetFileAttributesA 3099->3101 3100->3068 3101->3100 3103 4054e9 3102->3103 3112 40558c 3102->3112 3104 405506 lstrlenA 3103->3104 3143 406440 3103->3143 3106 405514 lstrlenA 3104->3106 3107 40552f 3104->3107 3108 405526 lstrcatA 3106->3108 3106->3112 3109 405542 3107->3109 3110 405535 SetWindowTextA 3107->3110 3108->3107 3111 405548 SendMessageA SendMessageA SendMessageA 3109->3111 3109->3112 3110->3109 3111->3112 3112->3068 3114 4061a9 3113->3114 3115 40619a 3113->3115 3114->3068 3172 406016 3115->3172 3119 405d00 3118->3119 3120 40673a FindClose 3118->3120 3119->3065 3121 405d3f lstrlenA CharPrevA 3119->3121 3120->3119 3122 405d0a 3121->3122 3123 405d59 lstrcatA 3121->3123 3122->3052 3123->3122 3124->3072 3126 405df3 3125->3126 3128 405e03 3125->3128 3127 405dfe CharNextA 3126->3127 3126->3128 3130 405e23 3127->3130 3129 405d6a CharNextA 3128->3129 3128->3130 3129->3128 3130->3075 3131 40668b 3130->3131 3137 406697 3131->3137 3132 4066ff 3133 406703 CharPrevA 3132->3133 3135 40671e 3132->3135 3133->3132 3134 4066f4 CharNextA 3134->3132 3134->3137 3135->3082 3136 405d6a CharNextA 3136->3137 3137->3132 3137->3134 3137->3136 3138 4066e2 CharNextA 3137->3138 3139 4066ef CharNextA 3137->3139 3138->3137 3139->3134 3141 405b33 3140->3141 3142 405f2d SetFileAttributesA 3140->3142 3141->3097 3141->3098 3141->3100 3142->3141 3159 40644d 3143->3159 3144 406672 3145 406687 3144->3145 3167 4063ad lstrcpynA 3144->3167 3145->3104 3147 40664c lstrlenA 3147->3159 3148 406440 10 API calls 3148->3147 3152 406568 GetSystemDirectoryA 3152->3159 3153 40657b GetWindowsDirectoryA 3153->3159 3154 40668b 5 API calls 3154->3159 3155 406440 10 API calls 3155->3159 3156 4065f5 lstrcatA 3156->3159 3157 4065af SHGetSpecialFolderLocation 3158 4065c7 SHGetPathFromIDListA CoTaskMemFree 3157->3158 3157->3159 3158->3159 3159->3144 3159->3147 3159->3148 3159->3152 3159->3153 3159->3154 3159->3155 3159->3156 3159->3157 3160 406294 3159->3160 3165 40630b wsprintfA 3159->3165 3166 4063ad lstrcpynA 3159->3166 3168 406233 3160->3168 3163 4062c8 RegQueryValueExA RegCloseKey 3164 4062f7 3163->3164 3164->3159 3165->3159 3166->3159 3167->3145 3169 406242 3168->3169 3170 406246 3169->3170 3171 40624b RegOpenKeyExA 3169->3171 3170->3163 3170->3164 3171->3170 3173 406062 GetShortPathNameA 3172->3173 3174 40603c 3172->3174 3176 406181 3173->3176 3177 406077 3173->3177 3199 405f40 GetFileAttributesA CreateFileA 3174->3199 3176->3114 3177->3176 3178 40607f wsprintfA 3177->3178 3180 406440 17 API calls 3178->3180 3179 406046 CloseHandle GetShortPathNameA 3179->3176 3181 40605a 3179->3181 3182 4060a7 3180->3182 3181->3173 3181->3176 3200 405f40 GetFileAttributesA CreateFileA 3182->3200 3184 4060b4 3184->3176 3185 4060c3 GetFileSize GlobalAlloc 3184->3185 3186 4060e5 3185->3186 3187 40617a CloseHandle 3185->3187 3201 405fb8 ReadFile 3186->3201 3187->3176 3192 406104 lstrcpyA 3195 406126 3192->3195 3193 406118 3194 405ea5 4 API calls 3193->3194 3194->3195 3196 40615d SetFilePointer 3195->3196 3208 405fe7 WriteFile 3196->3208 3199->3179 3200->3184 3202 405fd6 3201->3202 3202->3187 3203 405ea5 lstrlenA 3202->3203 3204 405ee6 lstrlenA 3203->3204 3205 405eee 3204->3205 3206 405ebf lstrcmpiA 3204->3206 3205->3192 3205->3193 3206->3205 3207 405edd CharNextA 3206->3207 3207->3204 3209 406005 GlobalFree 3208->3209 3209->3187 4302 10001363 4303 10001426 2 API calls 4302->4303 4304 1000138f 4303->4304 4305 100010d0 28 API calls 4304->4305 4306 10001399 4305->4306 4307 100014ba 3 API calls 4306->4307 4308 100013a2 4307->4308 4309 4023a4 4310 4023b2 4309->4310 4311 4023ac 4309->4311 4313 402c39 17 API calls 4310->4313 4315 4023c2 4310->4315 4312 402c39 17 API calls 4311->4312 4312->4310 4313->4315 4314 4023d0 4316 402c39 17 API calls 4314->4316 4315->4314 4317 402c39 17 API calls 4315->4317 4318 4023d9 WritePrivateProfileStringA 4316->4318 4317->4314 3210 4020a5 3211 4020b7 3210->3211 3221 402165 3210->3221 3228 402c39 3211->3228 3213 401423 24 API calls 3216 4022ea 3213->3216 3215 402c39 17 API calls 3217 4020c7 3215->3217 3218 4020dc LoadLibraryExA 3217->3218 3219 4020cf GetModuleHandleA 3217->3219 3220 4020ec GetProcAddress 3218->3220 3218->3221 3219->3218 3219->3220 3222 402138 3220->3222 3223 4020fb 3220->3223 3221->3213 3224 4054ce 24 API calls 3222->3224 3226 40210b 3223->3226 3234 401423 3223->3234 3224->3226 3226->3216 3227 402159 FreeLibrary 3226->3227 3227->3216 3229 402c45 3228->3229 3230 406440 17 API calls 3229->3230 3231 402c66 3230->3231 3232 4020be 3231->3232 3233 40668b 5 API calls 3231->3233 3232->3215 3233->3232 3235 4054ce 24 API calls 3234->3235 3236 401431 3235->3236 3236->3226 4319 402e25 4320 402e34 SetTimer 4319->4320 4321 402e4d 4319->4321 4320->4321 4322 402e9b 4321->4322 4323 402ea1 MulDiv 4321->4323 4324 402e5b wsprintfA SetWindowTextA SetDlgItemTextA 4323->4324 4324->4322 4333 402429 4334 402430 4333->4334 4335 40245b 4333->4335 4337 402c79 17 API calls 4334->4337 4336 402c39 17 API calls 4335->4336 4338 402462 4336->4338 4339 402437 4337->4339 4344 402cf7 4338->4344 4341 402c39 17 API calls 4339->4341 4342 40246f 4339->4342 4343 402448 RegDeleteValueA RegCloseKey 4341->4343 4343->4342 4345 402d03 4344->4345 4346 402d0a 4344->4346 4345->4342 4346->4345 4348 402d3b 4346->4348 4349 406233 RegOpenKeyExA 4348->4349 4350 402d69 4349->4350 4351 402e13 4350->4351 4352 402d79 RegEnumValueA 4350->4352 4356 402d9c 4350->4356 4351->4345 4353 402e03 RegCloseKey 4352->4353 4352->4356 4353->4351 4354 402dd8 RegEnumKeyA 4355 402de1 RegCloseKey 4354->4355 4354->4356 4357 4067b9 5 API calls 4355->4357 4356->4353 4356->4354 4356->4355 4358 402d3b 6 API calls 4356->4358 4359 402df1 4357->4359 4358->4356 4359->4351 4360 402df5 RegDeleteKeyA 4359->4360 4360->4351 4361 4027aa 4362 402c39 17 API calls 4361->4362 4363 4027b1 FindFirstFileA 4362->4363 4364 4027d4 4363->4364 4368 4027c4 4363->4368 4366 4027db 4364->4366 4369 40630b wsprintfA 4364->4369 4370 4063ad lstrcpynA 4366->4370 4369->4366 4370->4368 4371 401c2e 4372 402c17 17 API calls 4371->4372 4373 401c35 4372->4373 4374 402c17 17 API calls 4373->4374 4375 401c42 4374->4375 4376 401c57 4375->4376 4377 402c39 17 API calls 4375->4377 4378 401c67 4376->4378 4379 402c39 17 API calls 4376->4379 4377->4376 4380 401c72 4378->4380 4381 401cbe 4378->4381 4379->4378 4382 402c17 17 API calls 4380->4382 4383 402c39 17 API calls 4381->4383 4384 401c77 4382->4384 4385 401cc3 4383->4385 4386 402c17 17 API calls 4384->4386 4387 402c39 17 API calls 4385->4387 4388 401c83 4386->4388 4389 401ccc FindWindowExA 4387->4389 4390 401c90 SendMessageTimeoutA 4388->4390 4391 401cae SendMessageA 4388->4391 4392 401cea 4389->4392 4390->4392 4391->4392 4393 40262e 4394 402633 4393->4394 4395 402647 4393->4395 4396 402c17 17 API calls 4394->4396 4397 402c39 17 API calls 4395->4397 4399 40263c 4396->4399 4398 40264e lstrlenA 4397->4398 4398->4399 4400 402670 4399->4400 4401 405fe7 WriteFile 4399->4401 4401->4400 4402 404e2f GetDlgItem GetDlgItem 4403 404e85 7 API calls 4402->4403 4409 4050ac 4402->4409 4404 404f21 SendMessageA 4403->4404 4405 404f2d DeleteObject 4403->4405 4404->4405 4406 404f38 4405->4406 4408 404f6f 4406->4408 4410 406440 17 API calls 4406->4410 4407 40518e 4412 40523a 4407->4412 4417 4051e7 SendMessageA 4407->4417 4444 40509f 4407->4444 4411 40442a 18 API calls 4408->4411 4409->4407 4420 404d7d 5 API calls 4409->4420 4445 40511b 4409->4445 4415 404f51 SendMessageA SendMessageA 4410->4415 4416 404f83 4411->4416 4413 405244 SendMessageA 4412->4413 4414 40524c 4412->4414 4413->4414 4426 405265 4414->4426 4427 40525e ImageList_Destroy 4414->4427 4437 405275 4414->4437 4415->4406 4421 40442a 18 API calls 4416->4421 4424 4051fc SendMessageA 4417->4424 4417->4444 4418 405180 SendMessageA 4418->4407 4419 404491 8 API calls 4425 40543b 4419->4425 4420->4445 4422 404f94 4421->4422 4428 40506e GetWindowLongA SetWindowLongA 4422->4428 4436 404fe6 SendMessageA 4422->4436 4439 405069 4422->4439 4441 405024 SendMessageA 4422->4441 4442 405038 SendMessageA 4422->4442 4423 4053ef 4431 405401 ShowWindow GetDlgItem ShowWindow 4423->4431 4423->4444 4429 40520f 4424->4429 4430 40526e GlobalFree 4426->4430 4426->4437 4427->4426 4432 405087 4428->4432 4438 405220 SendMessageA 4429->4438 4430->4437 4431->4444 4433 4050a4 4432->4433 4434 40508c ShowWindow 4432->4434 4455 40445f SendMessageA 4433->4455 4454 40445f SendMessageA 4434->4454 4436->4422 4437->4423 4443 404dfd 4 API calls 4437->4443 4450 4052b0 4437->4450 4438->4412 4439->4428 4439->4432 4441->4422 4442->4422 4443->4450 4444->4419 4445->4407 4445->4418 4446 4053ba 4447 4053c5 InvalidateRect 4446->4447 4451 4053d1 4446->4451 4447->4451 4448 4052de SendMessageA 4449 4052f4 4448->4449 4449->4446 4453 405368 SendMessageA SendMessageA 4449->4453 4450->4448 4450->4449 4451->4423 4456 404d38 4451->4456 4453->4449 4454->4444 4455->4409 4459 404c73 4456->4459 4458 404d4d 4458->4423 4460 404c89 4459->4460 4461 406440 17 API calls 4460->4461 4462 404ced 4461->4462 4463 406440 17 API calls 4462->4463 4464 404cf8 4463->4464 4465 406440 17 API calls 4464->4465 4466 404d0e lstrlenA wsprintfA SetDlgItemTextA 4465->4466 4466->4458 4467 403f30 4468 403f48 4467->4468 4469 4040a9 4467->4469 4468->4469 4472 403f54 4468->4472 4470 4040fa 4469->4470 4471 4040ba GetDlgItem GetDlgItem 4469->4471 4474 404154 4470->4474 4486 401389 2 API calls 4470->4486 4473 40442a 18 API calls 4471->4473 4475 403f72 4472->4475 4476 403f5f SetWindowPos 4472->4476 4479 4040e4 SetClassLongA 4473->4479 4480 404476 SendMessageA 4474->4480 4492 4040a4 4474->4492 4477 403f7b ShowWindow 4475->4477 4478 403fbd 4475->4478 4476->4475 4481 404067 4477->4481 4482 403f9b GetWindowLongA 4477->4482 4483 403fc5 DestroyWindow 4478->4483 4484 403fdc 4478->4484 4485 40140b 2 API calls 4479->4485 4508 404166 4480->4508 4491 404491 8 API calls 4481->4491 4482->4481 4487 403fb4 ShowWindow 4482->4487 4537 4043b3 4483->4537 4488 403fe1 SetWindowLongA 4484->4488 4489 403ff2 4484->4489 4485->4470 4490 40412c 4486->4490 4487->4478 4488->4492 4489->4481 4495 403ffe GetDlgItem 4489->4495 4490->4474 4496 404130 SendMessageA 4490->4496 4491->4492 4493 40140b 2 API calls 4493->4508 4494 4043b5 DestroyWindow EndDialog 4494->4537 4498 40402c 4495->4498 4499 40400f SendMessageA IsWindowEnabled 4495->4499 4496->4492 4497 4043e4 ShowWindow 4497->4492 4501 404039 4498->4501 4502 404080 SendMessageA 4498->4502 4503 40404c 4498->4503 4511 404031 4498->4511 4499->4492 4499->4498 4500 406440 17 API calls 4500->4508 4501->4502 4501->4511 4502->4481 4506 404054 4503->4506 4507 404069 4503->4507 4504 404403 SendMessageA 4504->4481 4505 40442a 18 API calls 4505->4508 4509 40140b 2 API calls 4506->4509 4510 40140b 2 API calls 4507->4510 4508->4492 4508->4493 4508->4494 4508->4500 4508->4505 4512 40442a 18 API calls 4508->4512 4528 4042f5 DestroyWindow 4508->4528 4509->4511 4510->4511 4511->4481 4511->4504 4513 4041e1 GetDlgItem 4512->4513 4514 4041f6 4513->4514 4515 4041fe ShowWindow EnableWindow 4513->4515 4514->4515 4538 40444c EnableWindow 4515->4538 4517 404228 EnableWindow 4520 40423c 4517->4520 4518 404241 GetSystemMenu EnableMenuItem SendMessageA 4519 404271 SendMessageA 4518->4519 4518->4520 4519->4520 4520->4518 4522 403f11 18 API calls 4520->4522 4539 40445f SendMessageA 4520->4539 4540 4063ad lstrcpynA 4520->4540 4522->4520 4524 4042a0 lstrlenA 4525 406440 17 API calls 4524->4525 4526 4042b1 SetWindowTextA 4525->4526 4527 401389 2 API calls 4526->4527 4527->4508 4529 40430f CreateDialogParamA 4528->4529 4528->4537 4530 404342 4529->4530 4529->4537 4531 40442a 18 API calls 4530->4531 4532 40434d GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4531->4532 4533 401389 2 API calls 4532->4533 4534 404393 4533->4534 4534->4492 4535 40439b ShowWindow 4534->4535 4536 404476 SendMessageA 4535->4536 4536->4537 4537->4492 4537->4497 4538->4517 4539->4520 4540->4524 4541 402733 4542 40273a 4541->4542 4543 402a47 4541->4543 4544 402c17 17 API calls 4542->4544 4545 402741 4544->4545 4546 402750 SetFilePointer 4545->4546 4546->4543 4547 402760 4546->4547 4549 40630b wsprintfA 4547->4549 4549->4543 4550 401e35 GetDC 4551 402c17 17 API calls 4550->4551 4552 401e47 GetDeviceCaps MulDiv ReleaseDC 4551->4552 4553 402c17 17 API calls 4552->4553 4554 401e78 4553->4554 4555 406440 17 API calls 4554->4555 4556 401eb5 CreateFontIndirectA 4555->4556 4557 402628 4556->4557 4558 4014b7 4559 4014bd 4558->4559 4560 401389 2 API calls 4559->4560 4561 4014c5 4560->4561 3672 4015bb 3673 402c39 17 API calls 3672->3673 3674 4015c2 3673->3674 3675 405dd8 4 API calls 3674->3675 3687 4015ca 3675->3687 3676 401624 3678 401652 3676->3678 3679 401629 3676->3679 3677 405d6a CharNextA 3677->3687 3682 401423 24 API calls 3678->3682 3680 401423 24 API calls 3679->3680 3681 401630 3680->3681 3691 4063ad lstrcpynA 3681->3691 3689 40164a 3682->3689 3684 405a11 2 API calls 3684->3687 3685 405a2e 5 API calls 3685->3687 3686 40163b SetCurrentDirectoryA 3686->3689 3687->3676 3687->3677 3687->3684 3687->3685 3688 40160c GetFileAttributesA 3687->3688 3690 405994 4 API calls 3687->3690 3688->3687 3690->3687 3691->3686 4562 4016bb 4563 402c39 17 API calls 4562->4563 4564 4016c1 GetFullPathNameA 4563->4564 4565 4016d8 4564->4565 4571 4016f9 4564->4571 4568 406724 2 API calls 4565->4568 4565->4571 4566 402ac5 4567 40170d GetShortPathNameA 4567->4566 4569 4016e9 4568->4569 4569->4571 4572 4063ad lstrcpynA 4569->4572 4571->4566 4571->4567 4572->4571 4573 4048bc 4574 4048e8 4573->4574 4575 4048f9 4573->4575 4634 405aa7 GetDlgItemTextA 4574->4634 4577 404905 GetDlgItem 4575->4577 4579 404964 4575->4579 4578 404919 4577->4578 4583 40492d SetWindowTextA 4578->4583 4586 405dd8 4 API calls 4578->4586 4580 404a48 4579->4580 4588 406440 17 API calls 4579->4588 4632 404bf2 4579->4632 4580->4632 4636 405aa7 GetDlgItemTextA 4580->4636 4581 4048f3 4582 40668b 5 API calls 4581->4582 4582->4575 4587 40442a 18 API calls 4583->4587 4585 404491 8 API calls 4590 404c06 4585->4590 4591 404923 4586->4591 4592 404949 4587->4592 4593 4049d8 SHBrowseForFolderA 4588->4593 4589 404a78 4594 405e2d 18 API calls 4589->4594 4591->4583 4598 405d3f 3 API calls 4591->4598 4595 40442a 18 API calls 4592->4595 4593->4580 4596 4049f0 CoTaskMemFree 4593->4596 4597 404a7e 4594->4597 4599 404957 4595->4599 4600 405d3f 3 API calls 4596->4600 4637 4063ad lstrcpynA 4597->4637 4598->4583 4635 40445f SendMessageA 4599->4635 4605 4049fd 4600->4605 4603 40495d 4607 4067b9 5 API calls 4603->4607 4604 404a34 SetDlgItemTextA 4604->4580 4605->4604 4609 406440 17 API calls 4605->4609 4606 404a95 4608 4067b9 5 API calls 4606->4608 4607->4579 4615 404a9c 4608->4615 4610 404a1c lstrcmpiA 4609->4610 4610->4604 4612 404a2d lstrcatA 4610->4612 4611 404ad8 4638 4063ad lstrcpynA 4611->4638 4612->4604 4614 404adf 4616 405dd8 4 API calls 4614->4616 4615->4611 4620 405d86 2 API calls 4615->4620 4621 404b30 4615->4621 4617 404ae5 GetDiskFreeSpaceA 4616->4617 4619 404b09 MulDiv 4617->4619 4617->4621 4619->4621 4620->4615 4622 404ba1 4621->4622 4624 404d38 20 API calls 4621->4624 4623 404bc4 4622->4623 4625 40140b 2 API calls 4622->4625 4639 40444c EnableWindow 4623->4639 4626 404b8e 4624->4626 4625->4623 4628 404ba3 SetDlgItemTextA 4626->4628 4629 404b93 4626->4629 4628->4622 4630 404c73 20 API calls 4629->4630 4630->4622 4631 404be0 4631->4632 4633 404815 SendMessageA 4631->4633 4632->4585 4633->4632 4634->4581 4635->4603 4636->4589 4637->4606 4638->4614 4639->4631

                                                    Executed Functions

                                                    Function 004034F1 Relevance: 96.7, APIs: 34, Strings: 21, Instructions: 417stringfilecomCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 4034f1-403541 SetErrorMode GetVersionExA 1 403582 0->1 2 403543-40355d GetVersionExA 0->2 3 403589 1->3 2->3 4 40355f-40357e 2->4 5 40358b-403596 3->5 6 4035ad-4035b4 3->6 4->1 9 403598-4035a7 5->9 10 4035a9 5->10 7 4035b6 6->7 8 4035be-4035fe 6->8 7->8 11 403600-403608 call 4067b9 8->11 12 403611 8->12 9->6 10->6 11->12 17 40360a 11->17 14 403616-40362a call 40674b lstrlenA 12->14 19 40362c-403648 call 4067b9 * 3 14->19 17->12 26 403659-4036b9 #17 OleInitialize SHGetFileInfoA call 4063ad GetCommandLineA call 4063ad 19->26 27 40364a-403650 19->27 34 4036c4-4036d7 call 405d6a CharNextA 26->34 35 4036bb-4036bf 26->35 27->26 31 403652 27->31 31->26 38 403798-40379c 34->38 35->34 39 4037a2 38->39 40 4036dc-4036df 38->40 43 4037b6-4037d0 GetTempPathA call 4034c0 39->43 41 4036e1-4036e5 40->41 42 4036e7-4036ee 40->42 41->41 41->42 44 4036f0-4036f1 42->44 45 4036f5-4036f8 42->45 53 4037d2-4037f0 GetWindowsDirectoryA lstrcatA call 4034c0 43->53 54 403828-403840 DeleteFileA call 402f5c 43->54 44->45 47 403789-403795 call 405d6a 45->47 48 4036fe-403702 45->48 47->38 62 403797 47->62 51 403704-40370a 48->51 52 40371a-403747 48->52 57 403710 51->57 58 40370c-40370e 51->58 59 403759-403787 52->59 60 403749-40374f 52->60 53->54 71 4037f2-403822 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4034c0 53->71 68 4038d3-4038e4 ExitProcess OleUninitialize 54->68 69 403846-40384c 54->69 57->52 58->52 58->57 59->47 67 4037a4-4037b1 call 4063ad 59->67 64 403751-403753 60->64 65 403755 60->65 62->38 64->59 64->65 65->59 67->43 74 4038ea-4038f9 call 405ac3 ExitProcess 68->74 75 403a0d-403a13 68->75 72 4038c4-4038cb call 403b93 69->72 73 40384e-403859 call 405d6a 69->73 71->54 71->68 83 4038d0 72->83 90 40385b-403884 73->90 91 40388f-403898 73->91 80 403a15-403a2a GetCurrentProcess OpenProcessToken 75->80 81 403a8b-403a93 75->81 88 403a5b-403a69 call 4067b9 80->88 89 403a2c-403a55 LookupPrivilegeValueA AdjustTokenPrivileges 80->89 85 403a95 81->85 86 403a98-403a9b ExitProcess 81->86 83->68 85->86 97 403a77-403a82 ExitWindowsEx 88->97 98 403a6b-403a75 88->98 89->88 94 403886-403888 90->94 95 40389a-4038a8 call 405e2d 91->95 96 4038ff-403913 call 405a2e lstrcatA 91->96 94->91 99 40388a-40388d 94->99 95->68 109 4038aa-4038c0 call 4063ad * 2 95->109 107 403920-40393a lstrcatA lstrcmpiA 96->107 108 403915-40391b lstrcatA 96->108 97->81 102 403a84-403a86 call 40140b 97->102 98->97 98->102 99->91 99->94 102->81 107->68 110 40393c-40393f 107->110 108->107 109->72 112 403941-403946 call 405994 110->112 113 403948 call 405a11 110->113 120 40394d-40395b SetCurrentDirectoryA 112->120 113->120 121 403968-403993 call 4063ad 120->121 122 40395d-403963 call 4063ad 120->122 126 403999-4039b6 call 406440 DeleteFileA 121->126 122->121 129 4039f6-4039ff 126->129 130 4039b8-4039c8 CopyFileA 126->130 129->126 131 403a01-403a08 call 406186 129->131 130->129 132 4039ca-4039ea call 406186 call 406440 call 405a46 130->132 131->68 132->129 141 4039ec-4039f3 CloseHandle 132->141 141->129
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00008001), ref: 00403514
                                                    • GetVersionExA.KERNEL32(?), ref: 0040353D
                                                    • GetVersionExA.KERNEL32(0000009C), ref: 00403554
                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040361D
                                                    • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040365A
                                                    • OleInitialize.OLE32(00000000), ref: 00403661
                                                    • SHGetFileInfoA.SHELL32(00429878,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040367F
                                                    • GetCommandLineA.KERNEL32(Setup Pinball 22,NSIS Error,?,00000007,00000009,0000000B), ref: 00403694
                                                    • CharNextA.USER32(00000000,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",00000020,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",00000000,?,00000007,00000009,0000000B), ref: 004036CE
                                                    • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037C7
                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037D8
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037E4
                                                    • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037F8
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403800
                                                    • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403811
                                                    • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403819
                                                    • DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 0040382D
                                                    • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038D3
                                                    • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038D8
                                                    • ExitProcess.KERNEL32 ref: 004038F9
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",00000000,?,?,00000007,00000009,0000000B), ref: 0040390C
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",00000000,?,?,00000007,00000009,0000000B), ref: 0040391B
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403926
                                                    • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403932
                                                    • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040394E
                                                    • DeleteFileA.KERNEL32(00429478,00429478,?,00430000,?,?,00000007,00000009,0000000B), ref: 004039AB
                                                    • CopyFileA.KERNEL32(C:\Users\user\Desktop\ZXQ3AcEN5Q.exe,00429478,00000001), ref: 004039C0
                                                    • CloseHandle.KERNEL32(00000000,00429478,00429478,?,00429478,00000000,?,00000007,00000009,0000000B), ref: 004039ED
                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 00403A1B
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403A22
                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A36
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A55
                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403A7A
                                                    • ExitProcess.KERNEL32 ref: 00403A9B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                    • String ID: "$"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball\update$C:\Users\user\Desktop$C:\Users\user\Desktop\ZXQ3AcEN5Q.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$Setup Pinball 22$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                    • API String ID: 2882342585-4098114852
                                                    • Opcode ID: 81fd53c31f629a5d9fc5bfd721c55a9fc960827f33750ddf9d0d7531c1fac7e3
                                                    • Instruction ID: e98e4a5fe24b7fbee69c2a6f36de3ff31cd048084844d0745fc1e9075a3efd0a
                                                    • Opcode Fuzzy Hash: 81fd53c31f629a5d9fc5bfd721c55a9fc960827f33750ddf9d0d7531c1fac7e3
                                                    • Instruction Fuzzy Hash: 9DE11470900254AADB21AF759D49B6F7EB89F4670AF0480BFF541B61D2C7BC4A05CB2E
                                                    Function 100010D0 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 218COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 216 100010d0-100010fa GetVersionExA 217 10001106-1000110c 216->217 218 100010fc-10001101 216->218 220 10001122-10001139 LoadLibraryW 217->220 221 1000110e-10001112 217->221 219 1000135d-10001362 218->219 224 100011a5 220->224 225 1000113b-1000114c GetProcAddress 220->225 222 10001225-10001237 LoadLibraryA 221->222 223 10001118-1000111d 221->223 226 10001332-10001337 222->226 227 1000123d-10001265 GetProcAddress * 3 222->227 229 1000135b-1000135c 223->229 228 100011aa-100011ae 224->228 230 10001195 225->230 231 1000114e-1000115a LocalAlloc 225->231 226->229 232 10001323-10001326 FreeLibrary 227->232 233 1000126b-1000126d 227->233 235 100011b0-100011b2 228->235 236 100011b7 228->236 229->219 234 1000119a-100011a3 FreeLibrary 230->234 237 10001189-1000118c 231->237 242 1000132c-10001330 232->242 233->232 240 10001273-10001275 233->240 234->228 235->229 241 100011ba-100011bf 236->241 238 1000115c-1000116d NtQuerySystemInformation 237->238 239 1000118e-10001193 237->239 238->234 247 1000116f-1000117e LocalFree 238->247 239->234 240->232 243 1000127b-10001286 240->243 244 100011c1-100011ec WideCharToMultiByte lstrcmpiA 241->244 245 1000120d-10001211 241->245 242->226 246 10001339-1000133d 242->246 243->232 258 1000128c-100012a0 243->258 244->245 248 100011ee-100011f5 244->248 251 10001213-10001215 245->251 252 10001217-10001220 LocalFree 245->252 249 10001359 246->249 250 1000133f-10001343 246->250 247->239 253 10001180-10001187 LocalAlloc 247->253 248->252 255 100011f7-1000120a call 1000103f 248->255 249->229 256 10001345-1000134a 250->256 257 1000134c-10001350 250->257 251->241 252->242 253->237 255->245 256->229 257->249 260 10001352-10001357 257->260 263 10001318-1000131a 258->263 260->229 264 100012a2-100012b6 lstrlenA 263->264 265 1000131c-1000131d CloseHandle 263->265 266 100012bd-100012c2 264->266 265->232 267 100012c4-100012ea lstrcpynA lstrcmpiA 266->267 268 100012b8-100012ba 266->268 269 100012ec-100012f3 267->269 270 1000130e-10001315 267->270 268->267 271 100012bc 268->271 269->265 272 100012f5-1000130b call 1000103f 269->272 270->263 271->266 272->270
                                                    APIs
                                                    • GetVersionExA.KERNEL32(?), ref: 100010F2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3311859841.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.3311815298.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                    • Associated: 00000000.00000002.3311926391.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                    • Associated: 00000000.00000002.3312002223.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Version
                                                    • String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$NTDLL.DLL$NtQuerySystemInformation$Process32First$Process32Next
                                                    • API String ID: 1889659487-877962304
                                                    • Opcode ID: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
                                                    • Instruction ID: 3df706415bff85d1043f51983ae3f68c733976b3404a17f8fb4488dcc6387507
                                                    • Opcode Fuzzy Hash: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
                                                    • Instruction Fuzzy Hash: 19715871900659EFFB11DFA4CC88ADE3BEAEB483C4F250026FA19D2159E6358E49CB50
                                                    Function 00405B6F Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 406 405b6f-405b95 call 405e2d 409 405b97-405ba9 DeleteFileA 406->409 410 405bae-405bb5 406->410 411 405d38-405d3c 409->411 412 405bb7-405bb9 410->412 413 405bc8-405bd8 call 4063ad 410->413 414 405ce6-405ceb 412->414 415 405bbf-405bc2 412->415 419 405be7-405be8 call 405d86 413->419 420 405bda-405be5 lstrcatA 413->420 414->411 418 405ced-405cf0 414->418 415->413 415->414 421 405cf2-405cf8 418->421 422 405cfa-405d02 call 406724 418->422 423 405bed-405bf0 419->423 420->423 421->411 422->411 429 405d04-405d18 call 405d3f call 405b27 422->429 427 405bf2-405bf9 423->427 428 405bfb-405c01 lstrcatA 423->428 427->428 430 405c06-405c24 lstrlenA FindFirstFileA 427->430 428->430 444 405d30-405d33 call 4054ce 429->444 445 405d1a-405d1d 429->445 432 405c2a-405c41 call 405d6a 430->432 433 405cdc-405ce0 430->433 440 405c43-405c47 432->440 441 405c4c-405c4f 432->441 433->414 435 405ce2 433->435 435->414 440->441 446 405c49 440->446 442 405c51-405c56 441->442 443 405c62-405c70 call 4063ad 441->443 447 405c58-405c5a 442->447 448 405cbb-405ccd FindNextFileA 442->448 456 405c72-405c7a 443->456 457 405c87-405c92 call 405b27 443->457 444->411 445->421 450 405d1f-405d2e call 4054ce call 406186 445->450 446->441 447->443 452 405c5c-405c60 447->452 448->432 454 405cd3-405cd6 FindClose 448->454 450->411 452->443 452->448 454->433 456->448 459 405c7c-405c85 call 405b6f 456->459 466 405cb3-405cb6 call 4054ce 457->466 467 405c94-405c97 457->467 459->448 466->448 469 405c99-405ca9 call 4054ce call 406186 467->469 470 405cab-405cb1 467->470 469->448 470->448
                                                    APIs
                                                    • DeleteFileA.KERNEL32(?,?,75923410,75922EE0,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"), ref: 00405B98
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd452B.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsd452B.tmp\*.*,?,?,75923410,75922EE0,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"), ref: 00405BE0
                                                    • lstrcatA.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsd452B.tmp\*.*,?,?,75923410,75922EE0,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"), ref: 00405C01
                                                    • lstrlenA.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsd452B.tmp\*.*,?,?,75923410,75922EE0,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"), ref: 00405C07
                                                    • FindFirstFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd452B.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsd452B.tmp\*.*,?,?,75923410,75922EE0,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"), ref: 00405C18
                                                    • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CC5
                                                    • FindClose.KERNEL32(00000000), ref: 00405CD6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                    • String ID: "C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"$C:\Users\user\AppData\Local\Temp\nsd452B.tmp\*.*$\*.*
                                                    • API String ID: 2035342205-842194049
                                                    • Opcode ID: faded9c196cd74838ca1e91bb8710b4837c88517674c147a6894f7a7db6857f4
                                                    • Instruction ID: 4718808f158ea52fcca0691a24e1ebca9c7702a3109b9de6f7b9021a1af4e111
                                                    • Opcode Fuzzy Hash: faded9c196cd74838ca1e91bb8710b4837c88517674c147a6894f7a7db6857f4
                                                    • Instruction Fuzzy Hash: 3C51B130809B04AAEB226B218D49BAF7A78DF52718F14813BF845751D1C77C9982DEAD
                                                    Function 00406724 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNEL32(75923410,0042C108,C:\,00405E70,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B8F,?,75923410,75922EE0), ref: 0040672F
                                                    • FindClose.KERNEL32(00000000), ref: 0040673B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID: C:\
                                                    • API String ID: 2295610775-3404278061
                                                    • Opcode ID: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
                                                    • Instruction ID: c9c9a12bc8b774ad06f6f9f90ff499a93993566126ae4f8ffc97a4986822620a
                                                    • Opcode Fuzzy Hash: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
                                                    • Instruction Fuzzy Hash: 62D012715081309BD3405B386D4C85B7A58AF153353618A36F866F22E0D7348C228698
                                                    Function 00403B93 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 142 403b93-403bab call 4067b9 145 403bad-403bbd call 40630b 142->145 146 403bbf-403bf0 call 406294 142->146 155 403c13-403c3c call 403e58 call 405e2d 145->155 151 403bf2-403c03 call 406294 146->151 152 403c08-403c0e lstrcatA 146->152 151->152 152->155 160 403c42-403c47 155->160 161 403cc3-403ccb call 405e2d 155->161 160->161 163 403c49-403c6d call 406294 160->163 167 403cd9-403cfe LoadImageA 161->167 168 403ccd-403cd4 call 406440 161->168 163->161 169 403c6f-403c71 163->169 171 403d00-403d30 RegisterClassA 167->171 172 403d7f-403d87 call 40140b 167->172 168->167 173 403c82-403c8e lstrlenA 169->173 174 403c73-403c80 call 405d6a 169->174 175 403d36-403d7a SystemParametersInfoA CreateWindowExA 171->175 176 403e4e 171->176 185 403d91-403d9c call 403e58 172->185 186 403d89-403d8c 172->186 180 403c90-403c9e lstrcmpiA 173->180 181 403cb6-403cbe call 405d3f call 4063ad 173->181 174->173 175->172 179 403e50-403e57 176->179 180->181 184 403ca0-403caa GetFileAttributesA 180->184 181->161 188 403cb0-403cb1 call 405d86 184->188 189 403cac-403cae 184->189 195 403da2-403dbc ShowWindow call 40674b 185->195 196 403e25-403e2d call 4055a0 185->196 186->179 188->181 189->181 189->188 201 403dc8-403dda GetClassInfoA 195->201 202 403dbe-403dc3 call 40674b 195->202 203 403e47-403e49 call 40140b 196->203 204 403e2f-403e35 196->204 207 403df2-403e23 DialogBoxParamA call 40140b call 403ae3 201->207 208 403ddc-403dec GetClassInfoA RegisterClassA 201->208 202->201 203->176 204->186 209 403e3b-403e42 call 40140b 204->209 207->179 208->207 209->186
                                                    APIs
                                                      • Part of subcall function 004067B9: GetModuleHandleA.KERNEL32(?,00000000,?,00403633,0000000B), ref: 004067CB
                                                      • Part of subcall function 004067B9: GetProcAddress.KERNEL32(00000000,?), ref: 004067E6
                                                    • lstrcatA.KERNEL32(1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",00000009,0000000B), ref: 00403C0E
                                                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,?,?,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,C:\Users\user\AppData\Roaming\Pinball,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,75923410), ref: 00403C83
                                                    • lstrcmpiA.KERNEL32(?,.exe), ref: 00403C96
                                                    • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",00000009,0000000B), ref: 00403CA1
                                                    • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Pinball), ref: 00403CEA
                                                      • Part of subcall function 0040630B: wsprintfA.USER32 ref: 00406318
                                                    • RegisterClassA.USER32(0042EBE0), ref: 00403D27
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D3F
                                                    • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D74
                                                    • ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",00000009,0000000B), ref: 00403DAA
                                                    • GetClassInfoA.USER32(00000000,RichEdit20A,0042EBE0), ref: 00403DD6
                                                    • GetClassInfoA.USER32(00000000,RichEdit,0042EBE0), ref: 00403DE3
                                                    • RegisterClassA.USER32(0042EBE0), ref: 00403DEC
                                                    • DialogBoxParamA.USER32(?,00000000,00403F30,00000000), ref: 00403E0B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                    • String ID: "C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Pinball$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$B
                                                    • API String ID: 1975747703-634710080
                                                    • Opcode ID: c630cd98a2914be9174b26e2e738905288855d424b9324edbec4349d293c1a18
                                                    • Instruction ID: d89710434fc60f72bff50dd0b8e8498b1a5d6f9b4449ddb9e8b665c251f4a15f
                                                    • Opcode Fuzzy Hash: c630cd98a2914be9174b26e2e738905288855d424b9324edbec4349d293c1a18
                                                    • Instruction Fuzzy Hash: 3F61E4702042016EE620BF669D46F373A6CEB44B4DF40443FF941B22E2CB7CA9168A6D
                                                    Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 275 402f5c-402faa GetTickCount GetModuleFileNameA call 405f40 278 402fb6-402fe4 call 4063ad call 405d86 call 4063ad GetFileSize 275->278 279 402fac-402fb1 275->279 287 4030d2-4030e0 call 402ebd 278->287 288 402fea-403001 278->288 280 40321b-40321f 279->280 295 4031d5-4031da 287->295 296 4030e6-4030e9 287->296 289 403003 288->289 290 403005-403012 call 403493 288->290 289->290 299 403191-403199 call 402ebd 290->299 300 403018-40301e 290->300 295->280 297 403115-403185 GlobalAlloc call 405f6f CreateFileA 296->297 298 4030eb-403103 call 4034a9 call 403493 296->298 316 403187-40318c 297->316 317 40319b-4031cb call 4034a9 call 403222 297->317 298->295 324 403109-40310f 298->324 299->295 303 403020-403038 call 405efb 300->303 304 40309e-4030a2 300->304 308 4030ab-4030b1 303->308 322 40303a-403041 303->322 307 4030a4-4030aa call 402ebd 304->307 304->308 307->308 314 4030b3-4030c1 call 406870 308->314 315 4030c4-4030cc 308->315 314->315 315->287 315->288 316->280 330 4031d0-4031d3 317->330 322->308 326 403043-40304a 322->326 324->295 324->297 326->308 329 40304c-403053 326->329 329->308 331 403055-40305c 329->331 330->295 332 4031dc-4031ed 330->332 331->308 333 40305e-40307e 331->333 334 4031f5-4031f8 332->334 335 4031ef 332->335 333->295 336 403084-403088 333->336 339 4031fa-4031ff 334->339 335->334 337 403090-403098 336->337 338 40308a-40308e 336->338 337->308 340 40309a-40309c 337->340 338->287 338->337 339->339 341 403201-403219 call 405efb 339->341 340->308 341->280
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00402F70
                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ZXQ3AcEN5Q.exe,00000400), ref: 00402F8C
                                                      • Part of subcall function 00405F40: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\ZXQ3AcEN5Q.exe,80000000,00000003), ref: 00405F44
                                                      • Part of subcall function 00405F40: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F66
                                                    • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ZXQ3AcEN5Q.exe,C:\Users\user\Desktop\ZXQ3AcEN5Q.exe,80000000,00000003), ref: 00402FD5
                                                    • GlobalAlloc.KERNEL32(00000040,00000009), ref: 0040311A
                                                    Strings
                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031D5
                                                    • Null, xrefs: 00403055
                                                    • C:\Users\user\Desktop\ZXQ3AcEN5Q.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
                                                    • Error launching installer, xrefs: 00402FAC
                                                    • "C:\Users\user\Desktop\ZXQ3AcEN5Q.exe", xrefs: 00402F65
                                                    • Inst, xrefs: 00403043
                                                    • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403187
                                                    • soft, xrefs: 0040304C
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040313A
                                                    • C:\Users\user\Desktop, xrefs: 00402FB7, 00402FBC, 00402FC2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                    • String ID: "C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\ZXQ3AcEN5Q.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                    • API String ID: 2803837635-951425418
                                                    • Opcode ID: 2005f208a2339c59ab43fef2da7853fb62fc6b40e03fcb6696291913a7135b04
                                                    • Instruction ID: c3dda028fec246d51fc2d1f070f96728b3bff22ba0095c66adda34c0f2e45969
                                                    • Opcode Fuzzy Hash: 2005f208a2339c59ab43fef2da7853fb62fc6b40e03fcb6696291913a7135b04
                                                    • Instruction Fuzzy Hash: F971D271A00208ABDB21AF64DE45B9A7BBCEB14319F50403BF505BB2D1D77CAE458B9C
                                                    Function 00406440 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 198stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 344 406440-40644b 345 40644d-40645c 344->345 346 40645e-406474 344->346 345->346 347 406668-40666c 346->347 348 40647a-406485 346->348 350 406672-40667c 347->350 351 406497-4064a1 347->351 348->347 349 40648b-406492 348->349 349->347 353 406687-406688 350->353 354 40667e-406682 call 4063ad 350->354 351->350 352 4064a7-4064ae 351->352 355 4064b4-4064e8 352->355 356 40665b 352->356 354->353 358 406608-40660b 355->358 359 4064ee-4064f8 355->359 360 406665-406667 356->360 361 40665d-406663 356->361 364 40663b-40663e 358->364 365 40660d-406610 358->365 362 406515 359->362 363 4064fa-406503 359->363 360->347 361->347 371 40651c-406523 362->371 363->362 368 406505-406508 363->368 366 406640-406647 call 406440 364->366 367 40664c-406659 lstrlenA 364->367 369 406620-40662c call 4063ad 365->369 370 406612-40661e call 40630b 365->370 366->367 367->347 368->362 373 40650a-40650d 368->373 380 406631-406637 369->380 370->380 375 406525-406527 371->375 376 406528-40652a 371->376 373->362 381 40650f-406513 373->381 375->376 378 406563-406566 376->378 379 40652c-40654f call 406294 376->379 385 406576-406579 378->385 386 406568-406574 GetSystemDirectoryA 378->386 392 406555-40655e call 406440 379->392 393 4065ef-4065f3 379->393 380->367 384 406639 380->384 381->371 388 406600-406606 call 40668b 384->388 390 4065e6-4065e8 385->390 391 40657b-406589 GetWindowsDirectoryA 385->391 389 4065ea-4065ed 386->389 388->367 389->388 389->393 390->389 394 40658b-406595 390->394 391->390 392->389 393->388 397 4065f5-4065fb lstrcatA 393->397 399 406597-40659a 394->399 400 4065af-4065c5 SHGetSpecialFolderLocation 394->400 397->388 399->400 404 40659c-4065a3 399->404 401 4065e3 400->401 402 4065c7-4065e1 SHGetPathFromIDListA CoTaskMemFree 400->402 401->390 402->389 402->401 405 4065ab-4065ad 404->405 405->389 405->400
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 0040656E
                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,00000400,?,0042A098,00000000,00405506,0042A098,00000000), ref: 00406581
                                                    • SHGetSpecialFolderLocation.SHELL32(00405506,00000000,?,0042A098,00000000,00405506,0042A098,00000000), ref: 004065BD
                                                    • SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 004065CB
                                                    • CoTaskMemFree.OLE32(00000000), ref: 004065D7
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065FB
                                                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,?,0042A098,00000000,00405506,0042A098,00000000,00000000,00000000,00000000), ref: 0040664D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                    • String ID: 6 j$C:\Users\user\AppData\Local\Temp\setup.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                    • API String ID: 717251189-3363522035
                                                    • Opcode ID: 38398d6ecce7c9880a138569f5858357a9108e76e203ad91a2b6340bc4305649
                                                    • Instruction ID: 268467668beee15eea63ad286a81141898b18a339a36d3837aab5ec1b06c59ca
                                                    • Opcode Fuzzy Hash: 38398d6ecce7c9880a138569f5858357a9108e76e203ad91a2b6340bc4305649
                                                    • Instruction Fuzzy Hash: 13610470900100AEEF215F34ED90B7E3BA4AB15718F52413FE943BA2D1D27E8962CB5E
                                                    Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\Pinball\update,00000000,00000000,00000031), ref: 00401798
                                                    • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\Pinball\update,00000000,00000000,00000031), ref: 004017C2
                                                      • Part of subcall function 004063AD: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,00403694,Setup Pinball 22,NSIS Error,?,00000007,00000009,0000000B), ref: 004063BA
                                                      • Part of subcall function 004054CE: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
                                                      • Part of subcall function 004054CE: lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
                                                      • Part of subcall function 004054CE: lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
                                                      • Part of subcall function 004054CE: SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
                                                      • Part of subcall function 004054CE: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
                                                      • Part of subcall function 004054CE: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
                                                      • Part of subcall function 004054CE: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsd452B.tmp\INetC.dll$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Pinball\update
                                                    • API String ID: 1941528284-4001469451
                                                    • Opcode ID: cacce34dfe87c937726664b238e8662d685e89b268f2d0ef46f5665a7110999c
                                                    • Instruction ID: d74f000fe0db08ada4b1866606914215aeb9a6e76c7c3683a032828096269754
                                                    • Opcode Fuzzy Hash: cacce34dfe87c937726664b238e8662d685e89b268f2d0ef46f5665a7110999c
                                                    • Instruction Fuzzy Hash: 4041C731910515BACF107BB5CD45EAF3678EF05328B20833BF422F20E1D67C89529A6E
                                                    Function 00405994 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 542 405994-4059df CreateDirectoryA 543 4059e1-4059e3 542->543 544 4059e5-4059f2 GetLastError 542->544 545 405a0c-405a0e 543->545 544->545 546 4059f4-405a08 SetFileSecurityA 544->546 546->543 547 405a0a GetLastError 546->547 547->545
                                                    APIs
                                                    • CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059D7
                                                    • GetLastError.KERNEL32 ref: 004059EB
                                                    • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405A00
                                                    • GetLastError.KERNEL32 ref: 00405A0A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                    • String ID: C:\Users\user\AppData\Local\Temp\$F9@
                                                    • API String ID: 3449924974-1912816640
                                                    • Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                    • Instruction ID: 0e1db3289ec5df6a0f35b562325bf2216b146a324eccc31de4c45bc136cfaec7
                                                    • Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                    • Instruction Fuzzy Hash: 220108B1D04219DADF109BA0C944BEFBBB8EB04354F00413ADA44B6290D7799648CFD9
                                                    Function 0040674B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 548 40674b-40676b GetSystemDirectoryA 549 40676d 548->549 550 40676f-406771 548->550 549->550 551 406781-406783 550->551 552 406773-40677b 550->552 554 406784-4067b6 wsprintfA LoadLibraryExA 551->554 552->551 553 40677d-40677f 552->553 553->554
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406762
                                                    • wsprintfA.USER32 ref: 0040679B
                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004067AF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                    • String ID: %s%s.dll$UXTHEME$\
                                                    • API String ID: 2200240437-4240819195
                                                    • Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                    • Instruction ID: 3863f05650aab447081eb6fa423b6430e02618d36ffe312384f2529087dcf063
                                                    • Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                    • Instruction Fuzzy Hash: 36F0217094021A6BDB149774DD0DFFB375CBB08308F14007AA58AF20C1DA78D9358B6D
                                                    Function 0040332A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 555 40332a-403352 GetTickCount 556 403482-40348a call 402ebd 555->556 557 403358-403383 call 4034a9 SetFilePointer 555->557 562 40348c-403490 556->562 563 403388-40339a 557->563 564 40339c 563->564 565 40339e-4033ac call 403493 563->565 564->565 568 4033b2-4033be 565->568 569 403474-403477 565->569 570 4033c4-4033ca 568->570 569->562 571 4033f5-403411 call 4068de 570->571 572 4033cc-4033d2 570->572 578 403413-40341b 571->578 579 40347d 571->579 572->571 573 4033d4-4033f4 call 402ebd 572->573 573->571 581 40341d-403425 call 405fe7 578->581 582 40343e-403444 578->582 580 40347f-403480 579->580 580->562 586 40342a-40342c 581->586 582->579 583 403446-403448 582->583 583->579 585 40344a-40345d 583->585 585->563 589 403463-403472 SetFilePointer 585->589 587 403479-40347b 586->587 588 40342e-40343a 586->588 587->580 588->570 590 40343c 588->590 589->556 590->585
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 0040333E
                                                      • Part of subcall function 004034A9: SetFilePointer.KERNEL32(00000000,00000000,00000000,004031A9,?), ref: 004034B7
                                                    • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,00403254,00000004,00000000,00000000,0000000B,?,004031D0,000000FF,00000000,00000000,00000009,?), ref: 00403371
                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,0040B8A0,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,00403254,00000004,00000000,00000000,0000000B,?,004031D0,000000FF), ref: 0040346C
                                                    Strings
                                                    • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 0040339E, 004033A4
                                                    • `TA, xrefs: 00403383
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: FilePointer$CountTick
                                                    • String ID: `TA$o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                    • API String ID: 1092082344-142740016
                                                    • Opcode ID: 56010228795e1ad0e08db069a67fb83c8d86121d496d992e286645f0c7fdccb7
                                                    • Instruction ID: c44045edb95023ba3cca2d031d7db8c7ecb953bf7021e17233d88aac787edfad
                                                    • Opcode Fuzzy Hash: 56010228795e1ad0e08db069a67fb83c8d86121d496d992e286645f0c7fdccb7
                                                    • Instruction Fuzzy Hash: 143181726042059FDB21BF29EE849673BACEB41359B58423BE805B62F0C7785D42CF9D
                                                    Function 00405F6F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 591 405f6f-405f79 592 405f7a-405fa5 GetTickCount GetTempFileNameA 591->592 593 405fb4-405fb6 592->593 594 405fa7-405fa9 592->594 596 405fae-405fb1 593->596 594->592 595 405fab 594->595 595->596
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00405F83
                                                    • GetTempFileNameA.KERNEL32(0000000B,?,00000000,?,?,004034EF,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007), ref: 00405F9D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CountFileNameTempTick
                                                    • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                    • API String ID: 1716503409-44229769
                                                    • Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                    • Instruction ID: c81afa6165f68c23ab33ae750d9da6b6d4b0ed7f5f6f860b32f83f713540d6b5
                                                    • Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                    • Instruction Fuzzy Hash: DEF082363042087BDB108F55ED44B9B7B9DDF91750F14C03BFA44DA180D6B499988799
                                                    Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 597 4020a5-4020b1 598 4020b7-4020cd call 402c39 * 2 597->598 599 40216c-40216e 597->599 609 4020dc-4020ea LoadLibraryExA 598->609 610 4020cf-4020da GetModuleHandleA 598->610 600 4022e5-4022ea call 401423 599->600 606 402ac5-402ad4 600->606 612 4020ec-4020f9 GetProcAddress 609->612 613 402165-402167 609->613 610->609 610->612 614 402138-40213d call 4054ce 612->614 615 4020fb-402101 612->615 613->600 620 402142-402145 614->620 617 402103-40210f call 401423 615->617 618 40211a-402136 615->618 617->620 627 402111-402118 617->627 618->620 620->606 623 40214b-402153 call 403b33 620->623 623->606 628 402159-402160 FreeLibrary 623->628 627->620 628->606
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D0
                                                      • Part of subcall function 004054CE: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
                                                      • Part of subcall function 004054CE: lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
                                                      • Part of subcall function 004054CE: lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
                                                      • Part of subcall function 004054CE: SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
                                                      • Part of subcall function 004054CE: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
                                                      • Part of subcall function 004054CE: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
                                                      • Part of subcall function 004054CE: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A
                                                    • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E0
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
                                                    • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                    • String ID:
                                                    • API String ID: 2987980305-0
                                                    • Opcode ID: 8f54d1db7107121c79eeabdd4d3ff93457635344b973460777cc98a7737a160d
                                                    • Instruction ID: d5d8e73b2f819034d4a36da7431b6ab1c2b370ec15cffcebf3853f7809143cb5
                                                    • Opcode Fuzzy Hash: 8f54d1db7107121c79eeabdd4d3ff93457635344b973460777cc98a7737a160d
                                                    • Instruction Fuzzy Hash: CE21C931904215A7CF207F648E4DA9F3A706F44358F64413FF601B61D1DBBD49819A5E
                                                    Function 00403AA1 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 629 403aa1-403ab0 630 403ab2-403ab5 CloseHandle 629->630 631 403abc-403ac4 629->631 630->631 632 403ad0-403adc call 403afe call 405b6f 631->632 633 403ac6-403ac9 CloseHandle 631->633 637 403ae1-403ae2 632->637 633->632
                                                    APIs
                                                    • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038D8,?,?,00000007,00000009,0000000B), ref: 00403AB3
                                                    • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038D8,?,?,00000007,00000009,0000000B), ref: 00403AC7
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\nsd452B.tmp\, xrefs: 00403AD7
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403AA6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsd452B.tmp\
                                                    • API String ID: 2962429428-233437532
                                                    • Opcode ID: a9ee9dd59f1d65fc7d516ea45ae36214ae301fc028764db5b16804c067bfeb42
                                                    • Instruction ID: d999985cb90310bf3b758c666a10fef92de30db54d65d146bcd03f9961b14051
                                                    • Opcode Fuzzy Hash: a9ee9dd59f1d65fc7d516ea45ae36214ae301fc028764db5b16804c067bfeb42
                                                    • Instruction Fuzzy Hash: A3E08631A00714A6C124EF7CAD499853A185B45331B244726F0B5F20F0C778A9575EAD
                                                    Function 00403222 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 638 403222-40322f 639 403231-403247 SetFilePointer 638->639 640 40324d-403256 call 40332a 638->640 639->640 643 403324-403327 640->643 644 40325c-40326f call 405fb8 640->644 647 403314 644->647 648 403275-403288 call 40332a 644->648 650 403316-403317 647->650 652 403322 648->652 653 40328e-403291 648->653 650->643 652->643 654 4032f0-4032f6 653->654 655 403293-403296 653->655 656 4032f8 654->656 657 4032fb-403312 ReadFile 654->657 655->652 658 40329c 655->658 656->657 657->647 659 403319-40331c 657->659 660 4032a1-4032ab 658->660 659->652 661 4032b2-4032c4 call 405fb8 660->661 662 4032ad 660->662 661->647 665 4032c6-4032cd call 405fe7 661->665 662->661 667 4032d2-4032d4 665->667 668 4032d6-4032e8 667->668 669 4032ec-4032ee 667->669 668->660 670 4032ea 668->670 669->650 670->652
                                                    APIs
                                                    • SetFilePointer.KERNEL32(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031D0,000000FF,00000000,00000000,00000009,?), ref: 00403247
                                                    Strings
                                                    • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 0040329C, 004032B3, 004032C9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                    • API String ID: 973152223-292220189
                                                    • Opcode ID: ce81470534c94f9195f7b80e3f7d0d63071f291ff17927e88f905344df711149
                                                    • Instruction ID: 63e3bc89ebc44e63cb87267a04d05eb10b5728ec6aea7eb37a90b8226d4502d0
                                                    • Opcode Fuzzy Hash: ce81470534c94f9195f7b80e3f7d0d63071f291ff17927e88f905344df711149
                                                    • Instruction Fuzzy Hash: 67318B30600219EFDB20DF95ED84A9E7BACEB00359F50443AF904E61A1DB38DE51DBA9
                                                    Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 671 4015bb-4015ce call 402c39 call 405dd8 676 4015d0-4015e3 call 405d6a 671->676 677 401624-401627 671->677 684 4015e5-4015e8 676->684 685 4015fb-4015fc call 405a11 676->685 679 401652-4022ea call 401423 677->679 680 401629-401644 call 401423 call 4063ad SetCurrentDirectoryA 677->680 694 402ac5-402ad4 679->694 680->694 698 40164a-40164d 680->698 684->685 688 4015ea-4015f1 call 405a2e 684->688 695 401601-401603 685->695 688->685 704 4015f3-4015f4 call 405994 688->704 699 401605-40160a 695->699 700 40161a-401622 695->700 698->694 701 401617 699->701 702 40160c-401615 GetFileAttributesA 699->702 700->676 700->677 701->700 702->700 702->701 706 4015f9 704->706 706->695
                                                    APIs
                                                      • Part of subcall function 00405DD8: CharNextA.USER32(?,?,C:\,0000000B,00405E44,C:\,C:\,75923410,?,75922EE0,00405B8F,?,75923410,75922EE0,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"), ref: 00405DE6
                                                      • Part of subcall function 00405DD8: CharNextA.USER32(00000000), ref: 00405DEB
                                                      • Part of subcall function 00405DD8: CharNextA.USER32(00000000), ref: 00405DFF
                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                      • Part of subcall function 00405994: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059D7
                                                    • SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Pinball\update,00000000,00000000,000000F0), ref: 0040163C
                                                    Strings
                                                    • C:\Users\user\AppData\Roaming\Pinball\update, xrefs: 00401631
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                    • String ID: C:\Users\user\AppData\Roaming\Pinball\update
                                                    • API String ID: 1892508949-3005110170
                                                    • Opcode ID: 5387091bdfc140b8087f8c86ee1b38cdfb01a532a77df89c8285ea66194cdfe6
                                                    • Instruction ID: da078a7396538d2b68c3d46abcf0abf86ed4841e4c77ece3ad50f4b688452c44
                                                    • Opcode Fuzzy Hash: 5387091bdfc140b8087f8c86ee1b38cdfb01a532a77df89c8285ea66194cdfe6
                                                    • Instruction Fuzzy Hash: 92113431608040EBCF316FA54D419BF23B09E96324B68453FE491B22E2DA3D4C43AA3E
                                                    Function 00401EF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00405A89: ShellExecuteExA.SHELL32(?,00404871,?), ref: 00405A98
                                                      • Part of subcall function 0040682E: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040683F
                                                      • Part of subcall function 0040682E: GetExitCodeProcess.KERNEL32(?,?), ref: 00406861
                                                    • FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseCodeExecuteExitFindNotificationObjectProcessShellSingleWait
                                                    • String ID: @$C:\Users\user\AppData\Roaming\Pinball\update
                                                    • API String ID: 4215836453-313890386
                                                    • Opcode ID: 42a33ea10eb81ebb8e395c18a76452fb3693937de6835ed0b384a10e39c45cab
                                                    • Instruction ID: 7e08080a47fbe8130e9793ada8ff689413f9a5fe5f8298c2b0be4b009e85711c
                                                    • Opcode Fuzzy Hash: 42a33ea10eb81ebb8e395c18a76452fb3693937de6835ed0b384a10e39c45cab
                                                    • Instruction Fuzzy Hash: 4C112875E042089ADB11EFB98A4969DBBF4AF08314F24453AE414FB2D1DABD88019F58
                                                    Function 00405E2D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004063AD: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,00403694,Setup Pinball 22,NSIS Error,?,00000007,00000009,0000000B), ref: 004063BA
                                                      • Part of subcall function 00405DD8: CharNextA.USER32(?,?,C:\,0000000B,00405E44,C:\,C:\,75923410,?,75922EE0,00405B8F,?,75923410,75922EE0,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"), ref: 00405DE6
                                                      • Part of subcall function 00405DD8: CharNextA.USER32(00000000), ref: 00405DEB
                                                      • Part of subcall function 00405DD8: CharNextA.USER32(00000000), ref: 00405DFF
                                                    • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B8F,?,75923410,75922EE0,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"), ref: 00405E80
                                                    • GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B8F,?,75923410,75922EE0), ref: 00405E90
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                    • String ID: C:\
                                                    • API String ID: 3248276644-3404278061
                                                    • Opcode ID: 678f3ead996082f1db05eba5b8c2b9e3d8806008399db563f30518ef42c9b83a
                                                    • Instruction ID: 9f267cddd7eb309e72c664a5524f4ef8e78f3a4fdcff01b88aa859142a740ccd
                                                    • Opcode Fuzzy Hash: 678f3ead996082f1db05eba5b8c2b9e3d8806008399db563f30518ef42c9b83a
                                                    • Instruction Fuzzy Hash: A1F0A431144D9515C72223368D09AAF1A45CEA23A475A453BF8D1B22D2CB3C8A539DEE
                                                    Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(0040AC50,00000023,00000011,00000002), ref: 004024C9
                                                    • RegSetValueExA.KERNEL32(?,?,?,?,0040AC50,00000000,00000011,00000002), ref: 00402509
                                                    • RegCloseKey.KERNEL32(?,?,?,0040AC50,00000000,00000011,00000002), ref: 004025ED
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CloseValuelstrlen
                                                    • String ID:
                                                    • API String ID: 2655323295-0
                                                    • Opcode ID: f366e6c306fe12082cf0b05c6ba91687424175233ff3acd6191fb73da5415940
                                                    • Instruction ID: f11ff60c4b13be1b40730626367b2ac31db3e86d33d3b539648c793afb11e8e7
                                                    • Opcode Fuzzy Hash: f366e6c306fe12082cf0b05c6ba91687424175233ff3acd6191fb73da5415940
                                                    • Instruction Fuzzy Hash: DB115171E04208AFEB10AFA59E49AAE7A74AB54714F21443BF504F71C1D6B94D809B68
                                                    Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
                                                    • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
                                                    • RegCloseKey.KERNEL32(?,?,?,0040AC50,00000000,00000011,00000002), ref: 004025ED
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Enum$CloseValue
                                                    • String ID:
                                                    • API String ID: 397863658-0
                                                    • Opcode ID: d9b2f7af4b58b16225319d4737150cd9e7384b2817515e7f92340022bc23a71a
                                                    • Instruction ID: 73951399082e5fa98c6371f9b4b4b349b16151057db022cfb7c5a8f3282eca10
                                                    • Opcode Fuzzy Hash: d9b2f7af4b58b16225319d4737150cd9e7384b2817515e7f92340022bc23a71a
                                                    • Instruction Fuzzy Hash: EB017571904104FFE7159F549E88ABF7B6CEF41358F20443EF105A61C0DAB44E449679
                                                    Function 00405B27 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(?,?,00405B33,?,?,00000000,00405D16,?,?,?,?), ref: 00405F20
                                                      • Part of subcall function 00405F1B: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F34
                                                    • RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405D16), ref: 00405B42
                                                    • DeleteFileA.KERNEL32(?,?,?,00000000,00405D16), ref: 00405B4A
                                                    • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B62
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: File$Attributes$DeleteDirectoryRemove
                                                    • String ID:
                                                    • API String ID: 1655745494-0
                                                    • Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                    • Instruction ID: fc28fc13a5ffaa1451d385943006fff6504562e94068b3e8e58ff47069311b16
                                                    • Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                    • Instruction Fuzzy Hash: A9E0E531508A5196C21067309D08B5B7AF4DF96315F09493AF891F20C0C73CB8068A7D
                                                    Function 0040682E Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,00000064), ref: 0040683F
                                                    • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406854
                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00406861
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: ObjectSingleWait$CodeExitProcess
                                                    • String ID:
                                                    • API String ID: 2567322000-0
                                                    • Opcode ID: 5b4fe72fd1e708cd3b796925d468a13cc4a0d4fa623004970e8620b303540654
                                                    • Instruction ID: 786f37fe9b0b1b1757ae7e0e20c5bf7d2f22bc893670cbc7984a2ae372209aef
                                                    • Opcode Fuzzy Hash: 5b4fe72fd1e708cd3b796925d468a13cc4a0d4fa623004970e8620b303540654
                                                    • Instruction Fuzzy Hash: 2EE0D832A00108FBDB10AB54DD05E9E7B6EDB44744F114037FB01B61A0D7B19E62EB98
                                                    Function 00405FB8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00415460,004034A6,00000009,00000009,004033AA,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,00403254), ref: 00405FCC
                                                    Strings
                                                    • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00405FBB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                    • API String ID: 2738559852-292220189
                                                    • Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                    • Instruction ID: 7e5aaa18cf238fc3c2a2d6f2c990f7ea76405a2d1e5533b3dfe085218e3ca13f
                                                    • Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                    • Instruction Fuzzy Hash: 93E08C3220061EABCF109E608C04EEB3B6CEB003A0F004433F915E2140E674E8208BA8
                                                    Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryValueExA.KERNEL32(00000000,00000000,?,?,?,?), ref: 0040254E
                                                    • RegCloseKey.KERNEL32(?,?,?,0040AC50,00000000,00000011,00000002), ref: 004025ED
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CloseQueryValue
                                                    • String ID:
                                                    • API String ID: 3356406503-0
                                                    • Opcode ID: 622720d723debc0e5387cc632ba222ec01e0168f6777bf894a7108f8d5dde447
                                                    • Instruction ID: 4b56cd5ea3ff9179ab7dc602fdd52c2e718bc4285600ddde5da30d0002e9d155
                                                    • Opcode Fuzzy Hash: 622720d723debc0e5387cc632ba222ec01e0168f6777bf894a7108f8d5dde447
                                                    • Instruction Fuzzy Hash: BE110471904204FFDF24CF64CA584AE7BB4AF00344F20483FE042B72C0D6B88A45DA1D
                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                    • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 8d6dbff36e684ac128f086476d42dfa0dacb146ee2a51e47a5bbc3284452034d
                                                    • Instruction ID: b0909b975399ca643c062e30d3ddfd7e2b7b3efc2cbaaa5a110c2e05b7795de4
                                                    • Opcode Fuzzy Hash: 8d6dbff36e684ac128f086476d42dfa0dacb146ee2a51e47a5bbc3284452034d
                                                    • Instruction Fuzzy Hash: 380121317242109BE7180B7A8D04B6A32A8E710318F10853AF841F61F1DA789C028B4D
                                                    Function 00405A46 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C0C0,00000009,00000009,0000000B), ref: 00405A6F
                                                    • CloseHandle.KERNEL32(?), ref: 00405A7C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateHandleProcess
                                                    • String ID:
                                                    • API String ID: 3712363035-0
                                                    • Opcode ID: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
                                                    • Instruction ID: 48950c8f4c666f3fb74f177c391d78cb5defd913bab31bd9d1c0215700feeedf
                                                    • Opcode Fuzzy Hash: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
                                                    • Instruction Fuzzy Hash: 8AE0BFB5A00209BFEB109BA4ED49F7F77ACFB04608F404525BD50F2150D77499158A78
                                                    Function 004067B9 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(?,00000000,?,00403633,0000000B), ref: 004067CB
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004067E6
                                                      • Part of subcall function 0040674B: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406762
                                                      • Part of subcall function 0040674B: wsprintfA.USER32 ref: 0040679B
                                                      • Part of subcall function 0040674B: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 004067AF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                    • String ID:
                                                    • API String ID: 2547128583-0
                                                    • Opcode ID: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
                                                    • Instruction ID: a7ac22a06370d6b0a0a90de621bba7f0ce7106f591c7cbd0d506157d44a434a2
                                                    • Opcode Fuzzy Hash: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
                                                    • Instruction Fuzzy Hash: A0E08C32604210ABD21067B49E48C7B73ACAF88708702083FF946F3240DB38DC36A66D
                                                    Function 00405F40 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\ZXQ3AcEN5Q.exe,80000000,00000003), ref: 00405F44
                                                    • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F66
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesCreate
                                                    • String ID:
                                                    • API String ID: 415043291-0
                                                    • Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                    • Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
                                                    • Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                    • Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19
                                                    Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesA.KERNEL32(?,?,00405B33,?,?,00000000,00405D16,?,?,?,?), ref: 00405F20
                                                    • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F34
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                    • Instruction ID: 21ee5df392e2e3ec62eeb83b5b0df553a0a1579e20daa9fad68e55b8d704abe5
                                                    • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                    • Instruction Fuzzy Hash: 99D0C972504422ABD3542728AE0889BBB55DB54271702CB35FDE5A26B1DB304C569A98
                                                    Function 00405A11 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateDirectoryA.KERNEL32(?,00000000,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00405A17
                                                    • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A25
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectoryErrorLast
                                                    • String ID:
                                                    • API String ID: 1375471231-0
                                                    • Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                    • Instruction ID: 195c21080821b3492e5a44204faa0221d1fd975594f5f15cd5422cdfd2dc7f48
                                                    • Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                    • Instruction Fuzzy Hash: 24C08C30714501ABD6101B30AF09B173B60AB00340F028439A38AE00A0CA308015CE2D
                                                    Function 10001426 Relevance: 2.5, APIs: 2, Instructions: 29stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrcpynA.KERNEL32(?,10003024,?,10003020,1000138F,10003020,00000400), ref: 10001454
                                                    • GlobalFree.KERNELBASE(10003020), ref: 10001464
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3311859841.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.3311815298.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                    • Associated: 00000000.00000002.3311926391.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                    • Associated: 00000000.00000002.3312002223.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: FreeGloballstrcpyn
                                                    • String ID:
                                                    • API String ID: 1459762280-0
                                                    • Opcode ID: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
                                                    • Instruction ID: 61cff6a9ed434c6726c3e265b98623322506fe6e864b2b4fb358a1092e6d6a6c
                                                    • Opcode Fuzzy Hash: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
                                                    • Instruction Fuzzy Hash: 8DF0F8312152209FE315DF24CC94B9777E9FB0A385F018429E691C7278D770E804CB22
                                                    Function 00401F7B Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004054CE: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
                                                      • Part of subcall function 004054CE: lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
                                                      • Part of subcall function 004054CE: lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
                                                      • Part of subcall function 004054CE: SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
                                                      • Part of subcall function 004054CE: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
                                                      • Part of subcall function 004054CE: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
                                                      • Part of subcall function 004054CE: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A
                                                      • Part of subcall function 00405A46: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C0C0,00000009,00000009,0000000B), ref: 00405A6F
                                                      • Part of subcall function 00405A46: CloseHandle.KERNEL32(?), ref: 00405A7C
                                                    • FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                      • Part of subcall function 0040682E: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040683F
                                                      • Part of subcall function 0040682E: GetExitCodeProcess.KERNEL32(?,?), ref: 00406861
                                                      • Part of subcall function 0040630B: wsprintfA.USER32 ref: 00406318
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CloseProcesslstrlen$ChangeCodeCreateExitFindHandleNotificationObjectSingleTextWaitWindowlstrcatwsprintf
                                                    • String ID:
                                                    • API String ID: 1543427666-0
                                                    • Opcode ID: 932d1c38cbfb24ebf877498f87e14b96e13ba20706af4812904e15ae338fca7b
                                                    • Instruction ID: 11a60f3d6f297274548d694c0275662d066654ba76d574c38af8cf55d6395503
                                                    • Opcode Fuzzy Hash: 932d1c38cbfb24ebf877498f87e14b96e13ba20706af4812904e15ae338fca7b
                                                    • Instruction Fuzzy Hash: 0EF0B432905121DBCB20BFA14EC49EFB2A49F41318B24463FF502B21D1CB7C4E418AAE
                                                    Function 00406261 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 0040628A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                    • Instruction ID: 282812905ffe6fa8799437e3a4fe4156bb01cfe44eebde0263977a6986859224
                                                    • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                    • Instruction Fuzzy Hash: 93E0E67201010DBEDF099F50DC0AD7B372DE704300F05492EF906D4151E6B5A9705634
                                                    Function 00405FE7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,0041BF96,00415460,0040342A,00415460,0041BF96,0040B8A0,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,00403254), ref: 00405FFB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: FileWrite
                                                    • String ID:
                                                    • API String ID: 3934441357-0
                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                    • Instruction ID: 0afa8209b49303e90907335d5d7c52becaf9ed0dec036a1b0300e0b740401a66
                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                    • Instruction Fuzzy Hash: 55E08C3224025AABDF20DE608C00EEB3B6CEB00360F014432FE16E3040DA30E831ABA8
                                                    Function 00406233 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?,0042A098,?,?,004062C1,0042A098,?,?,?,00000002,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 00406257
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Open
                                                    • String ID:
                                                    • API String ID: 71445658-0
                                                    • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                    • Instruction ID: 3d740e944366ea514e57ed2aded9f5afd8d3402cece41b903b05e0b4c8e80d31
                                                    • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                    • Instruction Fuzzy Hash: 01D0123200020DBBDF116F909D01FAB3B1EEF48350F118826FE06A4091D775D530A728
                                                    Function 00406186 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00406190
                                                      • Part of subcall function 00406016: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,004061A7,?,?), ref: 00406047
                                                      • Part of subcall function 00406016: GetShortPathNameA.KERNEL32(?,0042C648,00000400), ref: 00406050
                                                      • Part of subcall function 00406016: GetShortPathNameA.KERNEL32(?,0042CA48,00000400), ref: 0040606D
                                                      • Part of subcall function 00406016: wsprintfA.USER32 ref: 0040608B
                                                      • Part of subcall function 00406016: GetFileSize.KERNEL32(00000000,00000000,0042CA48,C0000000,00000004,0042CA48,?,?,?,?,?), ref: 004060C6
                                                      • Part of subcall function 00406016: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060D5
                                                      • Part of subcall function 00406016: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040610D
                                                      • Part of subcall function 00406016: SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,0042C248,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406163
                                                      • Part of subcall function 00406016: GlobalFree.KERNEL32(00000000), ref: 00406174
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: File$GlobalNamePathShort$AllocCloseFreeHandleMovePointerSizelstrcpywsprintf
                                                    • String ID:
                                                    • API String ID: 299535525-0
                                                    • Opcode ID: c322f9145407614dcfa10dfeecaa9c41271446476469625b6f257f08a92a98fd
                                                    • Instruction ID: 000a298da37951b9beb6bf7480c1bf72e8e5e1d416767976cc0ebe3603791975
                                                    • Opcode Fuzzy Hash: c322f9145407614dcfa10dfeecaa9c41271446476469625b6f257f08a92a98fd
                                                    • Instruction Fuzzy Hash: 5DD0A731148201BEDB211F00DD0490B7BB1FB90315F11843EF185940B0D7328060DF09
                                                    Function 004034A9 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,004031A9,?), ref: 004034B7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                    • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                    • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                    • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

                                                    Non-executed Functions

                                                    Function 0040560C Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000403), ref: 0040566B
                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040567A
                                                    • GetClientRect.USER32(?,?), ref: 004056B7
                                                    • GetSystemMetrics.USER32(00000002), ref: 004056BE
                                                    • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056DF
                                                    • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056F0
                                                    • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405703
                                                    • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405711
                                                    • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405724
                                                    • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405746
                                                    • ShowWindow.USER32(?,00000008), ref: 0040575A
                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040577B
                                                    • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040578B
                                                    • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004057A4
                                                    • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004057B0
                                                    • GetDlgItem.USER32(?,000003F8), ref: 00405689
                                                      • Part of subcall function 0040445F: SendMessageA.USER32(00000028,?,00000001,0040428F), ref: 0040446D
                                                    • GetDlgItem.USER32(?,000003EC), ref: 004057CC
                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000055A0,00000000), ref: 004057DA
                                                    • CloseHandle.KERNEL32(00000000), ref: 004057E1
                                                    • ShowWindow.USER32(00000000), ref: 00405804
                                                    • ShowWindow.USER32(?,00000008), ref: 0040580B
                                                    • ShowWindow.USER32(00000008), ref: 00405851
                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405885
                                                    • CreatePopupMenu.USER32 ref: 00405896
                                                    • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004058AB
                                                    • GetWindowRect.USER32(?,000000FF), ref: 004058CB
                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058E4
                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405920
                                                    • OpenClipboard.USER32(00000000), ref: 00405930
                                                    • EmptyClipboard.USER32 ref: 00405936
                                                    • GlobalAlloc.KERNEL32(00000042,?), ref: 0040593F
                                                    • GlobalLock.KERNEL32(00000000), ref: 00405949
                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040595D
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405976
                                                    • SetClipboardData.USER32(00000001,00000000), ref: 00405981
                                                    • CloseClipboard.USER32 ref: 00405987
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                    • String ID:
                                                    • API String ID: 590372296-0
                                                    • Opcode ID: 2acb7b83d32332fc23b0f55e86c9aeee1e9b5d0168e5b03d031b27125abc7074
                                                    • Instruction ID: 7efb50357b3f50af201fa6f108fa5506fb008a5585d1c8a66461a5270055d409
                                                    • Opcode Fuzzy Hash: 2acb7b83d32332fc23b0f55e86c9aeee1e9b5d0168e5b03d031b27125abc7074
                                                    • Instruction Fuzzy Hash: F2A14971900608BFDB11AFA5DE85AAE7B79FB08354F40403AFA41B61A0CB754E51DF68
                                                    Function 004048BC Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003FB), ref: 0040490B
                                                    • SetWindowTextA.USER32(00000000,?), ref: 00404935
                                                    • SHBrowseForFolderA.SHELL32(?,00429C90,?), ref: 004049E6
                                                    • CoTaskMemFree.OLE32(00000000), ref: 004049F1
                                                    • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,0042A8B8), ref: 00404A23
                                                    • lstrcatA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\setup.exe), ref: 00404A2F
                                                    • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A41
                                                      • Part of subcall function 00405AA7: GetDlgItemTextA.USER32(?,?,00000400,00404A78), ref: 00405ABA
                                                      • Part of subcall function 0040668B: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066E3
                                                      • Part of subcall function 0040668B: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066F0
                                                      • Part of subcall function 0040668B: CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066F5
                                                      • Part of subcall function 0040668B: CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00406705
                                                    • GetDiskFreeSpaceA.KERNEL32(00429888,?,?,0000040F,?,00429888,00429888,?,00000001,00429888,?,?,000003FB,?), ref: 00404AFF
                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404B1A
                                                      • Part of subcall function 00404C73: lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B8E,000000DF,00000000,00000400,?), ref: 00404D11
                                                      • Part of subcall function 00404C73: wsprintfA.USER32 ref: 00404D19
                                                      • Part of subcall function 00404C73: SetDlgItemTextA.USER32(?,0042A8B8), ref: 00404D2C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                    • String ID: 6 j$A$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Pinball
                                                    • API String ID: 2624150263-3423435047
                                                    • Opcode ID: f759c3bdfbf6dcf5a6d3c58857932ae76a455d95421bf85057ae9753f30115f1
                                                    • Instruction ID: 418814d4f5b482a1114e5ad802000013a356d82c32de86a083c65c853fd70f02
                                                    • Opcode Fuzzy Hash: f759c3bdfbf6dcf5a6d3c58857932ae76a455d95421bf85057ae9753f30115f1
                                                    • Instruction Fuzzy Hash: 09A17FB1A00209ABDB11AFA6C945BAF77B8EF84314F10843BF611B62D1D77C99418F6D
                                                    Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                                                    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA
                                                    Strings
                                                    • C:\Users\user\AppData\Roaming\Pinball\update, xrefs: 00402238
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: ByteCharCreateInstanceMultiWide
                                                    • String ID: C:\Users\user\AppData\Roaming\Pinball\update
                                                    • API String ID: 123533781-3005110170
                                                    • Opcode ID: 33632eb9d2d55aaa42420cc03fede18144e517e278e294a30b7482181739d3ea
                                                    • Instruction ID: 04de17d00a4dc4a8b41f7435a4088df82794450048cbc41f8bf7b2fd75c255b2
                                                    • Opcode Fuzzy Hash: 33632eb9d2d55aaa42420cc03fede18144e517e278e294a30b7482181739d3ea
                                                    • Instruction Fuzzy Hash: 7E511675A00208AFDF10DFE4C988A9D7BB5AF48314F2045AAF505EB2D1DA799981CB54
                                                    Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: FileFindFirst
                                                    • String ID:
                                                    • API String ID: 1974802433-0
                                                    • Opcode ID: b6c00e0e94478f12fd63b5c2aca1cdbca56b6e26543b3531c68661d346b4c890
                                                    • Instruction ID: 3fa1d78f33bc5af05a97a61fc1c3a0e432ac7d90a4ef56d453e9603bce16c14e
                                                    • Opcode Fuzzy Hash: b6c00e0e94478f12fd63b5c2aca1cdbca56b6e26543b3531c68661d346b4c890
                                                    • Instruction Fuzzy Hash: 46F05532608100DBD710EBA48A08AFEB3689F11314FB0047BF002F20C1D6F88944DB3A
                                                    Function 00406BFE Relevance: .3, Instructions: 334COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
                                                    • Instruction ID: 7a70df28d47a3628ca1b0521c3a29fd1132f15960f4e2392888d2acdccabd480
                                                    • Opcode Fuzzy Hash: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
                                                    • Instruction Fuzzy Hash: 4BE18A71900709DFDB24CF58C880BAEBBF1FF45305F15842EE896A7291E738AA91CB14
                                                    Function 004073D5 Relevance: .3, Instructions: 300COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
                                                    • Instruction ID: 267aa099e2d25bcaaee6bbd59b652f1cfe254aeb6bd378defe50816dfd9dccfd
                                                    • Opcode Fuzzy Hash: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
                                                    • Instruction Fuzzy Hash: 12C13731E042199BCF18CF68D4905EEBBB2BF98314F25866AD856B7380D734B942CF95
                                                    Function 00404E2F Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 491windowmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404E46
                                                    • GetDlgItem.USER32(?,00000408), ref: 00404E53
                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404EA2
                                                    • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404EB9
                                                    • SetWindowLongA.USER32(?,000000FC,00405442), ref: 00404ED3
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EE5
                                                    • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404EF9
                                                    • SendMessageA.USER32(?,00001109,00000002), ref: 00404F0F
                                                    • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404F1B
                                                    • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F2B
                                                    • DeleteObject.GDI32(00000110), ref: 00404F30
                                                    • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F5B
                                                    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F67
                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405001
                                                    • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00405031
                                                      • Part of subcall function 0040445F: SendMessageA.USER32(00000028,?,00000001,0040428F), ref: 0040446D
                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405045
                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00405073
                                                    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00405081
                                                    • ShowWindow.USER32(?,00000005), ref: 00405091
                                                    • SendMessageA.USER32(?,00000419,00000000,?), ref: 0040518C
                                                    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051F1
                                                    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00405206
                                                    • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 0040522A
                                                    • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 0040524A
                                                    • ImageList_Destroy.COMCTL32(?), ref: 0040525F
                                                    • GlobalFree.KERNEL32(?), ref: 0040526F
                                                    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052E8
                                                    • SendMessageA.USER32(?,00001102,?,?), ref: 00405391
                                                    • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004053A0
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004053CB
                                                    • ShowWindow.USER32(?,00000000), ref: 00405419
                                                    • GetDlgItem.USER32(?,000003FE), ref: 00405424
                                                    • ShowWindow.USER32(00000000), ref: 0040542B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                    • String ID: $6 j$M$N
                                                    • API String ID: 2564846305-835169240
                                                    • Opcode ID: c1c194e9b9070287253358cafda237fff522e19e8e097677c2b12699a22d6652
                                                    • Instruction ID: d499fac4ffa3b846b6f4258f5395dfa7d3bb3a3819381929755cf89923acce5f
                                                    • Opcode Fuzzy Hash: c1c194e9b9070287253358cafda237fff522e19e8e097677c2b12699a22d6652
                                                    • Instruction Fuzzy Hash: E9028CB0A00609AFDB209F94DD45AAF7BB5FB44314F50813AFA10BA2E0D7799D52CF58
                                                    Function 00403F30 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F6C
                                                    • ShowWindow.USER32(?), ref: 00403F8C
                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00403F9E
                                                    • ShowWindow.USER32(?,00000004), ref: 00403FB7
                                                    • DestroyWindow.USER32 ref: 00403FCB
                                                    • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FE4
                                                    • GetDlgItem.USER32(?,?), ref: 00404003
                                                    • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00404017
                                                    • IsWindowEnabled.USER32(00000000), ref: 0040401E
                                                    • GetDlgItem.USER32(?,00000001), ref: 004040C9
                                                    • GetDlgItem.USER32(?,00000002), ref: 004040D3
                                                    • SetClassLongA.USER32(?,000000F2,?), ref: 004040ED
                                                    • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 0040413E
                                                    • GetDlgItem.USER32(?,00000003), ref: 004041E4
                                                    • ShowWindow.USER32(00000000,?), ref: 00404205
                                                    • EnableWindow.USER32(?,?), ref: 00404217
                                                    • EnableWindow.USER32(?,?), ref: 00404232
                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404248
                                                    • EnableMenuItem.USER32(00000000), ref: 0040424F
                                                    • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404267
                                                    • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 0040427A
                                                    • lstrlenA.KERNEL32(0042A8B8,?,0042A8B8,00000000), ref: 004042A4
                                                    • SetWindowTextA.USER32(?,0042A8B8), ref: 004042B3
                                                    • ShowWindow.USER32(?,0000000A), ref: 004043E7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                    • String ID:
                                                    • API String ID: 1860320154-0
                                                    • Opcode ID: dd943b36bef5e6101a64a98db85f6916b7033b37facd6ac691b167c3a0268699
                                                    • Instruction ID: cfe8d3d22397b66955926c3cfba744adcb70c974020a8b32e677ce7b32ac045c
                                                    • Opcode Fuzzy Hash: dd943b36bef5e6101a64a98db85f6916b7033b37facd6ac691b167c3a0268699
                                                    • Instruction Fuzzy Hash: 78C1E7B1604204ABDB316F66EE45E2B3A78FB94705F40053EF741B51F0CB7998929B2E
                                                    Function 00404595 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404620
                                                    • GetDlgItem.USER32(00000000,000003E8), ref: 00404634
                                                    • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404652
                                                    • GetSysColor.USER32(?), ref: 00404663
                                                    • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404672
                                                    • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404681
                                                    • lstrlenA.KERNEL32(?), ref: 00404684
                                                    • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404693
                                                    • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004046A8
                                                    • GetDlgItem.USER32(?,0000040A), ref: 0040470A
                                                    • SendMessageA.USER32(00000000), ref: 0040470D
                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404738
                                                    • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404778
                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 00404787
                                                    • SetCursor.USER32(00000000), ref: 00404790
                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 004047A6
                                                    • SetCursor.USER32(00000000), ref: 004047A9
                                                    • SendMessageA.USER32(00000111,00000001,00000000), ref: 004047D5
                                                    • SendMessageA.USER32(00000010,00000000,00000000), ref: 004047E9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                    • String ID: 6 j$N$B
                                                    • API String ID: 3103080414-1358746966
                                                    • Opcode ID: 4d05f5e0ef440667059b4acfea2602b31eb488a9e47853f73489c8b11a8fc1e8
                                                    • Instruction ID: f74a572f32c1eabaa27ded338b34f9593036d5ac8179563e1bc88d7f54208024
                                                    • Opcode Fuzzy Hash: 4d05f5e0ef440667059b4acfea2602b31eb488a9e47853f73489c8b11a8fc1e8
                                                    • Instruction Fuzzy Hash: 1961C6B1A40209BFDB10AF61CD45F6A7B69FB84714F10843AFB057B1D1C7B8A951CBA8
                                                    Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                    • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                    • DrawTextA.USER32(00000000,Setup Pinball 22,000000FF,00000010,00000820), ref: 00401156
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                    • String ID: F$Setup Pinball 22
                                                    • API String ID: 941294808-2336980834
                                                    • Opcode ID: cb662b4f4839534f1e503674090c16ddf8ae81f728f075d0793f80a4b08fd510
                                                    • Instruction ID: 3a3012abeb301a2a27237ef274a244925febb43b73cb3b1a1ba5aa4791300789
                                                    • Opcode Fuzzy Hash: cb662b4f4839534f1e503674090c16ddf8ae81f728f075d0793f80a4b08fd510
                                                    • Instruction Fuzzy Hash: 2E419C71800209AFCF058FA5DE459AF7FB9FF44314F00802AF991AA1A0C774EA55DFA4
                                                    Function 00406016 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,004061A7,?,?), ref: 00406047
                                                    • GetShortPathNameA.KERNEL32(?,0042C648,00000400), ref: 00406050
                                                      • Part of subcall function 00405EA5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB5
                                                      • Part of subcall function 00405EA5: lstrlenA.KERNEL32(00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EE7
                                                    • GetShortPathNameA.KERNEL32(?,0042CA48,00000400), ref: 0040606D
                                                    • wsprintfA.USER32 ref: 0040608B
                                                    • GetFileSize.KERNEL32(00000000,00000000,0042CA48,C0000000,00000004,0042CA48,?,?,?,?,?), ref: 004060C6
                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060D5
                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040610D
                                                    • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,0042C248,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406163
                                                    • GlobalFree.KERNEL32(00000000), ref: 00406174
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040617B
                                                      • Part of subcall function 00405F40: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\Desktop\ZXQ3AcEN5Q.exe,80000000,00000003), ref: 00405F44
                                                      • Part of subcall function 00405F40: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F66
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                    • String ID: %s=%s$[Rename]
                                                    • API String ID: 2171350718-1727408572
                                                    • Opcode ID: e602bdd9d32c47316c0f043e2c5c01b3ab384ce48114597be3de32aa163f2925
                                                    • Instruction ID: 3e8574c39a0610ec67407c758a3b0be6a8c8f99fe29b991ef795125cbd817837
                                                    • Opcode Fuzzy Hash: e602bdd9d32c47316c0f043e2c5c01b3ab384ce48114597be3de32aa163f2925
                                                    • Instruction Fuzzy Hash: F33126316017167BC2306B699D49F2B3A5CDF45758F15003ABD42FA2C2DE7CE8228AAD
                                                    Function 004054CE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
                                                    • lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
                                                    • lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
                                                    • SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
                                                    • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
                                                    • SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                    • String ID: 4/@
                                                    • API String ID: 2531174081-3101945251
                                                    • Opcode ID: 23038f27ffa0ac85a098dbcc57426fb3d31c8aaa780897c3fdab36f90d014fb0
                                                    • Instruction ID: 4b9143c85c3745f66eb79234941ef083dbb1be054dfbe47ff8ffe791c5f35d5f
                                                    • Opcode Fuzzy Hash: 23038f27ffa0ac85a098dbcc57426fb3d31c8aaa780897c3fdab36f90d014fb0
                                                    • Instruction Fuzzy Hash: F5219D71900518BBDB119FA5DD819DFBFB9EF09354F10807AF944B6290C7388E548F98
                                                    Function 0040668B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066E3
                                                    • CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066F0
                                                    • CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 004066F5
                                                    • CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe",004034CC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00406705
                                                    Strings
                                                    • *?|<>/":, xrefs: 004066D3
                                                    • "C:\Users\user\Desktop\ZXQ3AcEN5Q.exe", xrefs: 0040668B
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 0040668C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Char$Next$Prev
                                                    • String ID: "C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 589700163-961988718
                                                    • Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                    • Instruction ID: ad50ec36196ae086b1f079829a382c2ab89d98dbc250fae59a25bbaada14e1cc
                                                    • Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                    • Instruction Fuzzy Hash: 6711046180479169FB3207284C44B776F884F97764F19087FE8D2732C2CA7E5CA29A6D
                                                    Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(?,00000000), ref: 00402ED5
                                                    • GetTickCount.KERNEL32 ref: 00402EF3
                                                    • wsprintfA.USER32 ref: 00402F21
                                                      • Part of subcall function 004054CE: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 00405507
                                                      • Part of subcall function 004054CE: lstrlenA.KERNEL32(4/@,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 00405517
                                                      • Part of subcall function 004054CE: lstrcatA.KERNEL32(0042A098,00000020,4/@,0042A098,00000000,00000000,00000000), ref: 0040552A
                                                      • Part of subcall function 004054CE: SetWindowTextA.USER32(0042A098,0042A098), ref: 0040553C
                                                      • Part of subcall function 004054CE: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405562
                                                      • Part of subcall function 004054CE: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040557C
                                                      • Part of subcall function 004054CE: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040558A
                                                    • CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
                                                    • ShowWindow.USER32(00000000,00000005), ref: 00402F53
                                                      • Part of subcall function 00402EA1: MulDiv.KERNEL32(?,00000064,?), ref: 00402EB6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                    • String ID: ... %d%%$#Vh%.@
                                                    • API String ID: 722711167-1706192003
                                                    • Opcode ID: befa2999037e7dacf8acf22525320a04b4604363a871a5f770e998e30c514811
                                                    • Instruction ID: a0a68cef0ca481793848c2d9aefcb7cb5e5ecf8e4390e60164e55f5bd8f95203
                                                    • Opcode Fuzzy Hash: befa2999037e7dacf8acf22525320a04b4604363a871a5f770e998e30c514811
                                                    • Instruction Fuzzy Hash: 36018E70541221EBCB21BB50EF0CA5B367CAB00745B94003AF605B11E0D6F8894ADFEE
                                                    Function 00404491 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongA.USER32(?,000000EB), ref: 004044AE
                                                    • GetSysColor.USER32(00000000), ref: 004044EC
                                                    • SetTextColor.GDI32(?,00000000), ref: 004044F8
                                                    • SetBkMode.GDI32(?,?), ref: 00404504
                                                    • GetSysColor.USER32(?), ref: 00404517
                                                    • SetBkColor.GDI32(?,?), ref: 00404527
                                                    • DeleteObject.GDI32(?), ref: 00404541
                                                    • CreateBrushIndirect.GDI32(?), ref: 0040454B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                    • String ID:
                                                    • API String ID: 2320649405-0
                                                    • Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                    • Instruction ID: 2fec9bf24bc66026ef53c67dad773596a416ec909f357223c019effc5fa8433a
                                                    • Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                    • Instruction Fuzzy Hash: CF2167B1500704EBCB319F68DD18B5BBBF4AF41714B04892EFAA6B26E0C738E544CB54
                                                    Function 00404D7D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D98
                                                    • GetMessagePos.USER32 ref: 00404DA0
                                                    • ScreenToClient.USER32(?,?), ref: 00404DBA
                                                    • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DCC
                                                    • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DF2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Message$Send$ClientScreen
                                                    • String ID: f
                                                    • API String ID: 41195575-1993550816
                                                    • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                    • Instruction ID: fe6a20cf2c11a788ccad747fd5f00ef64c02a9fce7e576cf88be79dcb12c2241
                                                    • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                    • Instruction Fuzzy Hash: 66014871900219BADB00DBA8DD85BFEBBB8AF55B15F10016ABA41B61C0C6B499018BA8
                                                    Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
                                                    • wsprintfA.USER32 ref: 00402E74
                                                    • SetWindowTextA.USER32(?,?), ref: 00402E84
                                                    • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                    • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                    • API String ID: 1451636040-1158693248
                                                    • Opcode ID: 5099d59064bf0d622706c43f384fe22f0e9d0c525a15326d4d650ee4aa82a6b2
                                                    • Instruction ID: 2c2aa0c7049332f53b6d42298637789440614c7c2e4359aadf4d2442cb353dca
                                                    • Opcode Fuzzy Hash: 5099d59064bf0d622706c43f384fe22f0e9d0c525a15326d4d650ee4aa82a6b2
                                                    • Instruction Fuzzy Hash: B1F01D7054020DBBEF21AF60DE0ABAE3769AB14345F00803AFA06B51D0DBF899558B99
                                                    Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
                                                    • GlobalFree.KERNEL32(?), ref: 004028A4
                                                    • GlobalFree.KERNEL32(00000000), ref: 004028B7
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
                                                    • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                    • String ID:
                                                    • API String ID: 2667972263-0
                                                    • Opcode ID: 2df3cb68b5dbc429f4f1c6a3098a75d6b21630ffe2b8286246b8db2eba0fa2f8
                                                    • Instruction ID: 072e3b5d3c571983fced0d66139dcaa8d7c51a737b65702004a33dc82ef3b9c0
                                                    • Opcode Fuzzy Hash: 2df3cb68b5dbc429f4f1c6a3098a75d6b21630ffe2b8286246b8db2eba0fa2f8
                                                    • Instruction Fuzzy Hash: 1A316C32800128BBDF216FA5DE49D9E7B79AF08324F14423AF554B62E1CB794D419B68
                                                    Function 1000103F Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00100401,00000000,?,0000025E,?,00000000,?), ref: 10001054
                                                    • EnumWindows.USER32(10001007,?), ref: 10001074
                                                    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 10001084
                                                    • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 1000109D
                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 100010AE
                                                    • CloseHandle.KERNEL32(00000000), ref: 100010C5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3311859841.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                    • Associated: 00000000.00000002.3311815298.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                    • Associated: 00000000.00000002.3311926391.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                    • Associated: 00000000.00000002.3312002223.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseCodeEnumExitHandleObjectOpenSingleTerminateWaitWindows
                                                    • String ID:
                                                    • API String ID: 3465249596-0
                                                    • Opcode ID: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
                                                    • Instruction ID: 6b4dcd5717a232181223c093e4f4244ae1ce1555a3c8e15b92772d9ea2fb9ae7
                                                    • Opcode Fuzzy Hash: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
                                                    • Instruction Fuzzy Hash: 5211E235A00299EFFB00DFA5CCC8AEE77BCEB456C5F014069FA4192149D7B49981CB62
                                                    Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
                                                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CloseEnum$DeleteValue
                                                    • String ID:
                                                    • API String ID: 1354259210-0
                                                    • Opcode ID: b743165f959946a4ccd9b25dfd89ff3ae47307fb0fa25d43bbc95ee673993e20
                                                    • Instruction ID: 7635178ac91153ec690d33bbb3d07e4398e625bcf7d11104edb46be020a0d663
                                                    • Opcode Fuzzy Hash: b743165f959946a4ccd9b25dfd89ff3ae47307fb0fa25d43bbc95ee673993e20
                                                    • Instruction Fuzzy Hash: 24212B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AFA55B11A0D7B49EA49AA4
                                                    Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,?), ref: 00401D7E
                                                    • GetClientRect.USER32(?,?), ref: 00401DCC
                                                    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                                    • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                                    • DeleteObject.GDI32(00000000), ref: 00401E20
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                    • String ID:
                                                    • API String ID: 1849352358-0
                                                    • Opcode ID: de32b336c1ffdc66ac374c0ca9fff1b1f5d0d7551e6d5e34af7361189a15debb
                                                    • Instruction ID: 27b1212a805eea3139c87a475943c4b4ab790071e569df717d046b8c5e7325cd
                                                    • Opcode Fuzzy Hash: de32b336c1ffdc66ac374c0ca9fff1b1f5d0d7551e6d5e34af7361189a15debb
                                                    • Instruction Fuzzy Hash: B5215A72E00109AFCF14DFA4DD85AAEBBB5EB48300F24407EF901F62A0DB389941DB14
                                                    Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(?), ref: 00401E38
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                    • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                                    • CreateFontIndirectA.GDI32(0040B850), ref: 00401EBA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                    • String ID:
                                                    • API String ID: 3808545654-0
                                                    • Opcode ID: 15cf77a67f34936d3abac871dc2773a608caae73cb034566782e53c9d0023549
                                                    • Instruction ID: 685b73550df4dfc38284db97e20d4fcba876ab7456e304ac105fd168e902647a
                                                    • Opcode Fuzzy Hash: 15cf77a67f34936d3abac871dc2773a608caae73cb034566782e53c9d0023549
                                                    • Instruction Fuzzy Hash: 46018072544248AEE7007BB1AF4AA9A7FE8E755305F108839F241B61F2CB780448CB6D
                                                    Function 00404C73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B8E,000000DF,00000000,00000400,?), ref: 00404D11
                                                    • wsprintfA.USER32 ref: 00404D19
                                                    • SetDlgItemTextA.USER32(?,0042A8B8), ref: 00404D2C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: ItemTextlstrlenwsprintf
                                                    • String ID: %u.%u%s%s
                                                    • API String ID: 3540041739-3551169577
                                                    • Opcode ID: fd4e6de80d7076eadaf05026f9996a105bc8a90ef5d6e2270e2ceec6d89389f4
                                                    • Instruction ID: 80ef3aaef9c7940d6c9ce4e805d84fd1729c92a9eb25c0fff6ef42e4110b4dd6
                                                    • Opcode Fuzzy Hash: fd4e6de80d7076eadaf05026f9996a105bc8a90ef5d6e2270e2ceec6d89389f4
                                                    • Instruction Fuzzy Hash: B7110D7360812437E700666D9C42EAE3298DB85378F254237FE25F31D1DA78CC2242ED
                                                    Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                    • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Timeout
                                                    • String ID: !
                                                    • API String ID: 1777923405-2657877971
                                                    • Opcode ID: 19a7777fe1495908293cc8df242e47f69f85fd711ccd5f7a82add7804c840abb
                                                    • Instruction ID: d04047f7d872ba11913f05e2c7a8e30a40315ff7848647abde4a87fe257326fc
                                                    • Opcode Fuzzy Hash: 19a7777fe1495908293cc8df242e47f69f85fd711ccd5f7a82add7804c840abb
                                                    • Instruction Fuzzy Hash: 1B218571948208BEEB059FF5D986AAD7FB4EF44304F10447FF101B61D1D7B989819B18
                                                    Function 00405D3F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00405D45
                                                    • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034DE,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037CE,?,00000007,00000009,0000000B), ref: 00405D4E
                                                    • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D5F
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D3F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CharPrevlstrcatlstrlen
                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 2659869361-823278215
                                                    • Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                    • Instruction ID: 3965532e52c2964af4e4a5008f28a1982034686e92c93decc9c116211ffbf6ee
                                                    • Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                    • Instruction Fuzzy Hash: 64D0A7621016307AD21126159C09ECF19088F02314B0A4027F540B6191C63C4C2287FD
                                                    Function 00405DD8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharNextA.USER32(?,?,C:\,0000000B,00405E44,C:\,C:\,75923410,?,75922EE0,00405B8F,?,75923410,75922EE0,"C:\Users\user\Desktop\ZXQ3AcEN5Q.exe"), ref: 00405DE6
                                                    • CharNextA.USER32(00000000), ref: 00405DEB
                                                    • CharNextA.USER32(00000000), ref: 00405DFF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CharNext
                                                    • String ID: C:\
                                                    • API String ID: 3213498283-3404278061
                                                    • Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                    • Instruction ID: bf86ed20fb7b94292cf6712911d0d54b52c00300c187dbabdd3beb47ec0449aa
                                                    • Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                    • Instruction Fuzzy Hash: 59F09671904F516AFB325764DC44B775B88DB99351F18447BD5C07A2C1C37C4A814FEA
                                                    Function 00405442 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 00405471
                                                    • CallWindowProcA.USER32(?,?,?,?), ref: 004054C2
                                                      • Part of subcall function 00404476: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404488
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: Window$CallMessageProcSendVisible
                                                    • String ID:
                                                    • API String ID: 3748168415-3916222277
                                                    • Opcode ID: 92a9fd2b7c2ec255fefba8023c613c5f78be7de0a7b6046c5c0ea937018391f1
                                                    • Instruction ID: cd94b52dfe26eb285e266741e60656ba327741ee1343d18e5777b23f1cc810fd
                                                    • Opcode Fuzzy Hash: 92a9fd2b7c2ec255fefba8023c613c5f78be7de0a7b6046c5c0ea937018391f1
                                                    • Instruction Fuzzy Hash: FC017171101A09AFEF209F11DD80BDB3666EB84356F544136FE04791E2C73D8CA29E2A
                                                    Function 00406294 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Local\Temp\setup.exe,0042A098,?,?,?,00000002,C:\Users\user\AppData\Local\Temp\setup.exe,?,0040654C,80000002), ref: 004062DA
                                                    • RegCloseKey.ADVAPI32(?,?,0040654C,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,?,0042A098), ref: 004062E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CloseQueryValue
                                                    • String ID: C:\Users\user\AppData\Local\Temp\setup.exe
                                                    • API String ID: 3356406503-4037476823
                                                    • Opcode ID: a06636a21785f92a6ab7dc052d514d90bb4365a2268a51d0e95fcadfc93642b0
                                                    • Instruction ID: 01dcb0f67e6ed75bb3d5fe412ec2f5c27d3211a9352167a32a014d0c2b7904db
                                                    • Opcode Fuzzy Hash: a06636a21785f92a6ab7dc052d514d90bb4365a2268a51d0e95fcadfc93642b0
                                                    • Instruction Fuzzy Hash: 10015E72500209AAEF228F55CD05FDB3BA8EF55354F01403AFD56A2190D374D968DBA4
                                                    Function 00405D86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402FC8,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ZXQ3AcEN5Q.exe,C:\Users\user\Desktop\ZXQ3AcEN5Q.exe,80000000,00000003), ref: 00405D8C
                                                    • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402FC8,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ZXQ3AcEN5Q.exe,C:\Users\user\Desktop\ZXQ3AcEN5Q.exe,80000000,00000003), ref: 00405D9A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: CharPrevlstrlen
                                                    • String ID: C:\Users\user\Desktop
                                                    • API String ID: 2709904686-1246513382
                                                    • Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                    • Instruction ID: 791fe6a49cce3cab353f7a30e3e4730565bbd32bb5c0eaa1a09902b3577b180c
                                                    • Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                    • Instruction Fuzzy Hash: 5CD0A9A24089B06EF3436210CC08B8F6A88CF13301F0A84A3F480EA1A0C2BC4C428BFD
                                                    Function 00405EA5 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB5
                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405ECD
                                                    • CharNextA.USER32(00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EDE
                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00406100,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EE7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3305719007.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.3305472370.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305796565.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3305887552.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.3306452945.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_ZXQ3AcEN5Q.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                    • String ID:
                                                    • API String ID: 190613189-0
                                                    • Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                    • Instruction ID: b323b191ad28fc2fdc0003cf04e9b2d3b97c0f6d09c02c1c7944b0fd21ce9d7a
                                                    • Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                    • Instruction Fuzzy Hash: 78F0C231205814AFCB02DBA4DD0099FBBA8EF55350B2540B9E881F7211DA34DF01ABA9

                                                    Execution Graph

                                                    Execution Coverage:17.8%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:1367
                                                    Total number of Limit Nodes:26
                                                    execution_graph 3878 401ec5 3879 402c17 17 API calls 3878->3879 3880 401ecb 3879->3880 3881 402c17 17 API calls 3880->3881 3882 401ed7 3881->3882 3883 401ee3 ShowWindow 3882->3883 3884 401eee EnableWindow 3882->3884 3885 402ac5 3883->3885 3884->3885 3384 401746 3385 402c39 17 API calls 3384->3385 3386 40174d 3385->3386 3390 405f4a 3386->3390 3388 401754 3389 405f4a 2 API calls 3388->3389 3389->3388 3391 405f55 GetTickCount GetTempFileNameA 3390->3391 3392 405f82 3391->3392 3393 405f86 3391->3393 3392->3391 3392->3393 3393->3388 3886 401947 3887 402c39 17 API calls 3886->3887 3888 40194e lstrlenA 3887->3888 3889 402628 3888->3889 3893 401fcb 3894 402c39 17 API calls 3893->3894 3895 401fd2 3894->3895 3896 4066ff 2 API calls 3895->3896 3897 401fd8 3896->3897 3899 401fea 3897->3899 3900 4062e6 wsprintfA 3897->3900 3900->3899 3598 4034cc SetErrorMode GetVersionExA 3599 40351e GetVersionExA 3598->3599 3601 40355d 3598->3601 3600 40353a 3599->3600 3599->3601 3600->3601 3602 4035e1 3601->3602 3603 406794 5 API calls 3601->3603 3604 406726 3 API calls 3602->3604 3603->3602 3605 4035f7 lstrlenA 3604->3605 3605->3602 3606 403607 3605->3606 3607 406794 5 API calls 3606->3607 3608 40360e 3607->3608 3609 406794 5 API calls 3608->3609 3610 403615 3609->3610 3611 406794 5 API calls 3610->3611 3612 403621 #17 OleInitialize SHGetFileInfoA 3611->3612 3690 406388 lstrcpynA 3612->3690 3615 40366f GetCommandLineA 3691 406388 lstrcpynA 3615->3691 3617 403681 3618 405d45 CharNextA 3617->3618 3619 4036a8 CharNextA 3618->3619 3628 4036b7 3619->3628 3620 40377d 3621 403791 GetTempPathA 3620->3621 3692 40349b 3621->3692 3623 4037a9 3625 403803 DeleteFileA 3623->3625 3626 4037ad GetWindowsDirectoryA lstrcatA 3623->3626 3624 405d45 CharNextA 3624->3628 3702 402f5c GetTickCount GetModuleFileNameA 3625->3702 3629 40349b 12 API calls 3626->3629 3628->3620 3628->3624 3630 40377f 3628->3630 3632 4037c9 3629->3632 3789 406388 lstrcpynA 3630->3789 3631 403816 3633 4038ae ExitProcess OleUninitialize 3631->3633 3641 405d45 CharNextA 3631->3641 3672 40389b 3631->3672 3632->3625 3635 4037cd GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3632->3635 3637 4038c5 3633->3637 3638 4039e8 3633->3638 3636 40349b 12 API calls 3635->3636 3639 4037fb 3636->3639 3642 405a9e MessageBoxIndirectA 3637->3642 3643 4039f0 GetCurrentProcess OpenProcessToken 3638->3643 3644 403a66 ExitProcess 3638->3644 3639->3625 3639->3633 3646 403830 3641->3646 3648 4038d2 ExitProcess 3642->3648 3649 403a36 3643->3649 3650 403a07 LookupPrivilegeValueA AdjustTokenPrivileges 3643->3650 3653 403875 3646->3653 3654 4038da 3646->3654 3651 406794 5 API calls 3649->3651 3650->3649 3652 403a3d 3651->3652 3655 403a52 ExitWindowsEx 3652->3655 3658 403a5f 3652->3658 3657 405e08 18 API calls 3653->3657 3656 405a09 5 API calls 3654->3656 3655->3644 3655->3658 3659 4038df lstrcatA 3656->3659 3660 403881 3657->3660 3794 40140b 3658->3794 3662 4038f0 lstrcatA 3659->3662 3663 4038fb lstrcatA lstrcmpiA 3659->3663 3660->3633 3790 406388 lstrcpynA 3660->3790 3662->3663 3663->3633 3665 403917 3663->3665 3667 403923 3665->3667 3668 40391c 3665->3668 3666 403890 3791 406388 lstrcpynA 3666->3791 3671 4059ec 2 API calls 3667->3671 3670 40596f 4 API calls 3668->3670 3673 403921 3670->3673 3674 403928 SetCurrentDirectoryA 3671->3674 3732 403b6e 3672->3732 3673->3674 3675 403943 3674->3675 3676 403938 3674->3676 3793 406388 lstrcpynA 3675->3793 3792 406388 lstrcpynA 3676->3792 3679 40641b 17 API calls 3680 403985 DeleteFileA 3679->3680 3681 403993 CopyFileA 3680->3681 3687 403950 3680->3687 3681->3687 3682 4039dc 3684 406161 36 API calls 3682->3684 3683 406161 36 API calls 3683->3687 3685 4039e3 3684->3685 3685->3633 3686 40641b 17 API calls 3686->3687 3687->3679 3687->3682 3687->3683 3687->3686 3688 405a21 2 API calls 3687->3688 3689 4039c7 CloseHandle 3687->3689 3688->3687 3689->3687 3690->3615 3691->3617 3693 406666 5 API calls 3692->3693 3695 4034a7 3693->3695 3694 4034b1 3694->3623 3695->3694 3696 405d1a 3 API calls 3695->3696 3697 4034b9 3696->3697 3698 4059ec 2 API calls 3697->3698 3699 4034bf 3698->3699 3700 405f4a 2 API calls 3699->3700 3701 4034ca 3700->3701 3701->3623 3797 405f1b GetFileAttributesA CreateFileA 3702->3797 3704 402f9f 3731 402fac 3704->3731 3798 406388 lstrcpynA 3704->3798 3706 402fc2 3707 405d61 2 API calls 3706->3707 3708 402fc8 3707->3708 3799 406388 lstrcpynA 3708->3799 3710 402fd3 GetFileSize 3711 4030cd 3710->3711 3730 402fea 3710->3730 3712 402ebd 32 API calls 3711->3712 3713 4030d6 3712->3713 3715 403112 GlobalAlloc 3713->3715 3713->3731 3801 403484 SetFilePointer 3713->3801 3714 40346e ReadFile 3714->3730 3716 403129 3715->3716 3721 405f4a 2 API calls 3716->3721 3718 40316a 3719 402ebd 32 API calls 3718->3719 3719->3731 3720 4030f3 3722 40346e ReadFile 3720->3722 3723 40313a CreateFileA 3721->3723 3724 4030fe 3722->3724 3726 403174 3723->3726 3723->3731 3724->3715 3724->3731 3725 402ebd 32 API calls 3725->3730 3800 403484 SetFilePointer 3726->3800 3728 403182 3729 4031fd 44 API calls 3728->3729 3729->3731 3730->3711 3730->3714 3730->3718 3730->3725 3730->3731 3731->3631 3733 406794 5 API calls 3732->3733 3734 403b82 3733->3734 3735 403b88 3734->3735 3736 403b9a 3734->3736 3810 4062e6 wsprintfA 3735->3810 3737 40626f 3 API calls 3736->3737 3738 403bc5 3737->3738 3739 403be3 lstrcatA 3738->3739 3741 40626f 3 API calls 3738->3741 3742 403b98 3739->3742 3741->3739 3802 403e33 3742->3802 3745 405e08 18 API calls 3746 403c15 3745->3746 3747 403c9e 3746->3747 3749 40626f 3 API calls 3746->3749 3748 405e08 18 API calls 3747->3748 3750 403ca4 3748->3750 3752 403c41 3749->3752 3751 403cb4 LoadImageA 3750->3751 3753 40641b 17 API calls 3750->3753 3754 403d5a 3751->3754 3755 403cdb RegisterClassA 3751->3755 3752->3747 3756 403c5d lstrlenA 3752->3756 3759 405d45 CharNextA 3752->3759 3753->3751 3758 40140b 2 API calls 3754->3758 3757 403d11 SystemParametersInfoA CreateWindowExA 3755->3757 3765 4038ab 3755->3765 3760 403c91 3756->3760 3761 403c6b lstrcmpiA 3756->3761 3757->3754 3762 403d60 3758->3762 3763 403c5b 3759->3763 3766 405d1a 3 API calls 3760->3766 3761->3760 3764 403c7b GetFileAttributesA 3761->3764 3762->3765 3768 403e33 18 API calls 3762->3768 3763->3756 3767 403c87 3764->3767 3765->3633 3769 403c97 3766->3769 3767->3760 3770 405d61 2 API calls 3767->3770 3771 403d71 3768->3771 3811 406388 lstrcpynA 3769->3811 3770->3760 3773 403e00 3771->3773 3774 403d7d ShowWindow 3771->3774 3812 40557b OleInitialize 3773->3812 3776 406726 3 API calls 3774->3776 3778 403d95 3776->3778 3777 403e06 3779 403e22 3777->3779 3780 403e0a 3777->3780 3781 403da3 GetClassInfoA 3778->3781 3783 406726 3 API calls 3778->3783 3782 40140b 2 API calls 3779->3782 3780->3765 3787 40140b 2 API calls 3780->3787 3784 403db7 GetClassInfoA RegisterClassA 3781->3784 3785 403dcd DialogBoxParamA 3781->3785 3782->3765 3783->3781 3784->3785 3786 40140b 2 API calls 3785->3786 3788 403df5 3786->3788 3787->3765 3788->3765 3789->3621 3790->3666 3791->3672 3792->3675 3793->3687 3795 401389 2 API calls 3794->3795 3796 401420 3795->3796 3796->3644 3797->3704 3798->3706 3799->3710 3800->3728 3801->3720 3803 403e47 3802->3803 3819 4062e6 wsprintfA 3803->3819 3805 403eb8 3820 403eec 3805->3820 3807 403bf3 3807->3745 3808 403ebd 3808->3807 3809 40641b 17 API calls 3808->3809 3809->3808 3810->3742 3811->3747 3823 404451 3812->3823 3814 40559e 3818 4055c5 3814->3818 3826 401389 3814->3826 3815 404451 SendMessageA 3816 4055d7 OleUninitialize 3815->3816 3816->3777 3818->3815 3819->3805 3821 40641b 17 API calls 3820->3821 3822 403efa SetWindowTextA 3821->3822 3822->3808 3824 404469 3823->3824 3825 40445a SendMessageA 3823->3825 3824->3814 3825->3824 3828 401390 3826->3828 3827 4013fe 3827->3814 3828->3827 3829 4013cb MulDiv SendMessageA 3828->3829 3829->3828 3901 404850 3902 404860 3901->3902 3903 404886 3901->3903 3908 404405 3902->3908 3911 40446c 3903->3911 3907 40486d SetDlgItemTextA 3907->3903 3909 40641b 17 API calls 3908->3909 3910 404410 SetDlgItemTextA 3909->3910 3910->3907 3912 40452f 3911->3912 3913 404484 GetWindowLongA 3911->3913 3913->3912 3914 404499 3913->3914 3914->3912 3915 4044c6 GetSysColor 3914->3915 3916 4044c9 3914->3916 3915->3916 3917 4044d9 SetBkMode 3916->3917 3918 4044cf SetTextColor 3916->3918 3919 4044f1 GetSysColor 3917->3919 3920 4044f7 3917->3920 3918->3917 3919->3920 3921 404508 3920->3921 3922 4044fe SetBkColor 3920->3922 3921->3912 3923 404522 CreateBrushIndirect 3921->3923 3924 40451b DeleteObject 3921->3924 3922->3921 3923->3912 3924->3923 3932 4014d6 3933 402c17 17 API calls 3932->3933 3934 4014dc Sleep 3933->3934 3936 402ac5 3934->3936 3485 401759 3486 402c39 17 API calls 3485->3486 3487 401760 3486->3487 3488 401786 3487->3488 3489 40177e 3487->3489 3525 406388 lstrcpynA 3488->3525 3524 406388 lstrcpynA 3489->3524 3492 401784 3496 406666 5 API calls 3492->3496 3493 401791 3494 405d1a 3 API calls 3493->3494 3495 401797 lstrcatA 3494->3495 3495->3492 3513 4017a3 3496->3513 3497 4066ff 2 API calls 3497->3513 3498 405ef6 2 API calls 3498->3513 3500 4017ba CompareFileTime 3500->3513 3501 40187e 3503 4054a9 24 API calls 3501->3503 3502 401855 3504 4054a9 24 API calls 3502->3504 3522 40186a 3502->3522 3506 401888 3503->3506 3504->3522 3505 406388 lstrcpynA 3505->3513 3507 4031fd 44 API calls 3506->3507 3508 40189b 3507->3508 3509 4018af SetFileTime 3508->3509 3510 4018c1 FindCloseChangeNotification 3508->3510 3509->3510 3512 4018d2 3510->3512 3510->3522 3511 40641b 17 API calls 3511->3513 3514 4018d7 3512->3514 3515 4018ea 3512->3515 3513->3497 3513->3498 3513->3500 3513->3501 3513->3502 3513->3505 3513->3511 3523 405f1b GetFileAttributesA CreateFileA 3513->3523 3526 405a9e 3513->3526 3516 40641b 17 API calls 3514->3516 3517 40641b 17 API calls 3515->3517 3519 4018df lstrcatA 3516->3519 3520 4018f2 3517->3520 3519->3520 3521 405a9e MessageBoxIndirectA 3520->3521 3521->3522 3523->3513 3524->3492 3525->3493 3527 405ab3 3526->3527 3528 405aff 3527->3528 3529 405ac7 MessageBoxIndirectA 3527->3529 3528->3513 3529->3528 3937 401659 3938 402c39 17 API calls 3937->3938 3939 40165f 3938->3939 3940 4066ff 2 API calls 3939->3940 3941 401665 3940->3941 3942 401959 3943 402c17 17 API calls 3942->3943 3944 401960 3943->3944 3945 402c17 17 API calls 3944->3945 3946 40196d 3945->3946 3947 402c39 17 API calls 3946->3947 3948 401984 lstrlenA 3947->3948 3950 401994 3948->3950 3949 4019d4 3950->3949 3954 406388 lstrcpynA 3950->3954 3952 4019c4 3952->3949 3953 4019c9 lstrlenA 3952->3953 3953->3949 3954->3952 3955 401a5e 3956 402c17 17 API calls 3955->3956 3957 401a67 3956->3957 3958 402c17 17 API calls 3957->3958 3959 401a0e 3958->3959 3960 401563 3961 402a42 3960->3961 3964 4062e6 wsprintfA 3961->3964 3963 402a47 3964->3963 3965 401b63 3966 402c39 17 API calls 3965->3966 3967 401b6a 3966->3967 3968 402c17 17 API calls 3967->3968 3969 401b73 wsprintfA 3968->3969 3970 402ac5 3969->3970 3971 401d65 3972 401d78 GetDlgItem 3971->3972 3973 401d6b 3971->3973 3975 401d72 3972->3975 3974 402c17 17 API calls 3973->3974 3974->3975 3976 401db9 GetClientRect LoadImageA SendMessageA 3975->3976 3978 402c39 17 API calls 3975->3978 3979 401e1a 3976->3979 3981 401e26 3976->3981 3978->3976 3980 401e1f DeleteObject 3979->3980 3979->3981 3980->3981 3982 402766 3983 40276c 3982->3983 3984 402774 FindClose 3983->3984 3985 402ac5 3983->3985 3984->3985 3986 4055e7 3987 405792 3986->3987 3988 405609 GetDlgItem GetDlgItem GetDlgItem 3986->3988 3990 4057c2 3987->3990 3991 40579a GetDlgItem CreateThread CloseHandle 3987->3991 4031 40443a SendMessageA 3988->4031 3993 4057f0 3990->3993 3994 405811 3990->3994 3995 4057d8 ShowWindow ShowWindow 3990->3995 3991->3990 3992 405679 3999 405680 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3992->3999 3996 405800 3993->3996 3997 405824 ShowWindow 3993->3997 4000 40584b 3993->4000 3998 40446c 8 API calls 3994->3998 4033 40443a SendMessageA 3995->4033 4034 4043de 3996->4034 4004 405844 3997->4004 4005 405836 3997->4005 4003 40581d 3998->4003 4006 4056d2 SendMessageA SendMessageA 3999->4006 4007 4056ee 3999->4007 4000->3994 4008 405858 SendMessageA 4000->4008 4010 4043de SendMessageA 4004->4010 4009 4054a9 24 API calls 4005->4009 4006->4007 4011 405701 4007->4011 4012 4056f3 SendMessageA 4007->4012 4008->4003 4013 405871 CreatePopupMenu 4008->4013 4009->4004 4010->4000 4015 404405 18 API calls 4011->4015 4012->4011 4014 40641b 17 API calls 4013->4014 4017 405881 AppendMenuA 4014->4017 4016 405711 4015->4016 4020 40571a ShowWindow 4016->4020 4021 40574e GetDlgItem SendMessageA 4016->4021 4018 4058b2 TrackPopupMenu 4017->4018 4019 40589f GetWindowRect 4017->4019 4018->4003 4022 4058ce 4018->4022 4019->4018 4023 405730 ShowWindow 4020->4023 4024 40573d 4020->4024 4021->4003 4025 405775 SendMessageA SendMessageA 4021->4025 4026 4058ed SendMessageA 4022->4026 4023->4024 4032 40443a SendMessageA 4024->4032 4025->4003 4026->4026 4027 40590a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4026->4027 4029 40592c SendMessageA 4027->4029 4029->4029 4030 40594e GlobalUnlock SetClipboardData CloseClipboard 4029->4030 4030->4003 4031->3992 4032->4021 4033->3993 4035 4043e5 4034->4035 4036 4043eb SendMessageA 4034->4036 4035->4036 4036->3994 3394 4027e8 3395 402c39 17 API calls 3394->3395 3396 4027f4 3395->3396 3397 40280a 3396->3397 3399 402c39 17 API calls 3396->3399 3398 405ef6 2 API calls 3397->3398 3400 402810 3398->3400 3399->3397 3422 405f1b GetFileAttributesA CreateFileA 3400->3422 3402 40281d 3403 4028d9 3402->3403 3404 4028c1 3402->3404 3405 402838 GlobalAlloc 3402->3405 3406 4028e0 DeleteFileA 3403->3406 3407 4028f3 3403->3407 3409 4031fd 44 API calls 3404->3409 3405->3404 3408 402851 3405->3408 3406->3407 3423 403484 SetFilePointer 3408->3423 3411 4028ce FindCloseChangeNotification 3409->3411 3411->3403 3412 402857 3424 40346e 3412->3424 3415 402870 3427 4031fd 3415->3427 3416 4028aa 3417 405fc2 WriteFile 3416->3417 3419 4028b6 GlobalFree 3417->3419 3419->3404 3420 4028a1 GlobalFree 3420->3416 3421 40287d 3421->3420 3422->3402 3423->3412 3425 405f93 ReadFile 3424->3425 3426 402860 GlobalAlloc 3425->3426 3426->3415 3426->3416 3428 403228 3427->3428 3429 40320c SetFilePointer 3427->3429 3442 403305 GetTickCount 3428->3442 3429->3428 3432 405f93 ReadFile 3433 403248 3432->3433 3434 403305 42 API calls 3433->3434 3436 4032c5 3433->3436 3435 40325f 3434->3435 3435->3436 3437 4032cb ReadFile 3435->3437 3439 40326e 3435->3439 3436->3421 3437->3436 3439->3436 3440 405f93 ReadFile 3439->3440 3441 405fc2 WriteFile 3439->3441 3440->3439 3441->3439 3443 403333 3442->3443 3444 40345d 3442->3444 3455 403484 SetFilePointer 3443->3455 3445 402ebd 32 API calls 3444->3445 3451 40322f 3445->3451 3447 40333e SetFilePointer 3452 403363 3447->3452 3448 40346e ReadFile 3448->3452 3451->3432 3451->3436 3452->3448 3452->3451 3453 405fc2 WriteFile 3452->3453 3454 40343e SetFilePointer 3452->3454 3456 4068d9 3452->3456 3463 402ebd 3452->3463 3453->3452 3454->3444 3455->3447 3457 4068fe 3456->3457 3458 406906 3456->3458 3457->3452 3458->3457 3459 406996 GlobalAlloc 3458->3459 3460 40698d GlobalFree 3458->3460 3461 406a04 GlobalFree 3458->3461 3462 406a0d GlobalAlloc 3458->3462 3459->3457 3459->3458 3460->3459 3461->3462 3462->3457 3462->3458 3464 402ee3 3463->3464 3465 402ecb 3463->3465 3468 402ef3 GetTickCount 3464->3468 3469 402eeb 3464->3469 3466 402ed4 DestroyWindow 3465->3466 3467 402edb 3465->3467 3466->3467 3467->3452 3468->3467 3471 402f01 3468->3471 3478 4067d0 3469->3478 3472 402f36 CreateDialogParamA ShowWindow 3471->3472 3473 402f09 3471->3473 3472->3467 3473->3467 3482 402ea1 3473->3482 3475 402f17 wsprintfA 3476 4054a9 24 API calls 3475->3476 3477 402f34 3476->3477 3477->3467 3479 4067ed PeekMessageA 3478->3479 3480 4067e3 DispatchMessageA 3479->3480 3481 4067fd 3479->3481 3480->3479 3481->3467 3483 402eb0 3482->3483 3484 402eb2 MulDiv 3482->3484 3483->3484 3484->3475 4037 404be8 4038 404c14 4037->4038 4039 404bf8 4037->4039 4040 404c47 4038->4040 4041 404c1a SHGetPathFromIDListA 4038->4041 4048 405a82 GetDlgItemTextA 4039->4048 4044 404c2a 4041->4044 4047 404c31 SendMessageA 4041->4047 4043 404c05 SendMessageA 4043->4038 4045 40140b 2 API calls 4044->4045 4045->4047 4047->4040 4048->4043 4049 4023e8 4050 402c39 17 API calls 4049->4050 4051 4023f9 4050->4051 4052 402c39 17 API calls 4051->4052 4053 402402 4052->4053 4054 402c39 17 API calls 4053->4054 4055 40240c GetPrivateProfileStringA 4054->4055 4056 40166a 4057 402c39 17 API calls 4056->4057 4058 401671 4057->4058 4059 402c39 17 API calls 4058->4059 4060 40167a 4059->4060 4061 402c39 17 API calls 4060->4061 4062 401683 MoveFileA 4061->4062 4063 401696 4062->4063 4064 40168f 4062->4064 4066 4066ff 2 API calls 4063->4066 4068 4022ea 4063->4068 4065 401423 24 API calls 4064->4065 4065->4068 4067 4016a5 4066->4067 4067->4068 4069 406161 36 API calls 4067->4069 4069->4064 4077 4019ed 4078 402c39 17 API calls 4077->4078 4079 4019f4 4078->4079 4080 402c39 17 API calls 4079->4080 4081 4019fd 4080->4081 4082 401a04 lstrcmpiA 4081->4082 4083 401a16 lstrcmpA 4081->4083 4084 401a0a 4082->4084 4083->4084 4085 40156f 4086 401586 4085->4086 4087 40157f ShowWindow 4085->4087 4088 401594 ShowWindow 4086->4088 4089 402ac5 4086->4089 4087->4086 4088->4089 4090 404570 4092 404586 4090->4092 4093 404692 4090->4093 4091 404701 4094 4047cb 4091->4094 4096 40470b GetDlgItem 4091->4096 4095 404405 18 API calls 4092->4095 4093->4091 4093->4094 4101 4046d6 GetDlgItem SendMessageA 4093->4101 4100 40446c 8 API calls 4094->4100 4099 4045dc 4095->4099 4097 404721 4096->4097 4098 404789 4096->4098 4097->4098 4104 404747 SendMessageA LoadCursorA SetCursor 4097->4104 4098->4094 4105 40479b 4098->4105 4102 404405 18 API calls 4099->4102 4103 4047c6 4100->4103 4123 404427 EnableWindow 4101->4123 4107 4045e9 CheckDlgButton 4102->4107 4127 404814 4104->4127 4110 4047a1 SendMessageA 4105->4110 4111 4047b2 4105->4111 4121 404427 EnableWindow 4107->4121 4110->4111 4111->4103 4115 4047b8 SendMessageA 4111->4115 4112 4046fc 4124 4047f0 4112->4124 4113 404607 GetDlgItem 4122 40443a SendMessageA 4113->4122 4115->4103 4118 40461d SendMessageA 4119 404644 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4118->4119 4120 40463b GetSysColor 4118->4120 4119->4103 4120->4119 4121->4113 4122->4118 4123->4112 4125 404803 SendMessageA 4124->4125 4126 4047fe 4124->4126 4125->4091 4126->4125 4130 405a64 ShellExecuteExA 4127->4130 4129 40477a LoadCursorA SetCursor 4129->4098 4130->4129 4131 402173 4132 402c39 17 API calls 4131->4132 4133 40217a 4132->4133 4134 402c39 17 API calls 4133->4134 4135 402184 4134->4135 4136 402c39 17 API calls 4135->4136 4137 40218e 4136->4137 4138 402c39 17 API calls 4137->4138 4139 40219b 4138->4139 4140 402c39 17 API calls 4139->4140 4141 4021a5 4140->4141 4142 4021e7 CoCreateInstance 4141->4142 4143 402c39 17 API calls 4141->4143 4144 402206 4142->4144 4148 4022b4 4142->4148 4143->4142 4147 402294 MultiByteToWideChar 4144->4147 4144->4148 4145 401423 24 API calls 4146 4022ea 4145->4146 4147->4148 4148->4145 4148->4146 4149 4022f3 4150 402c39 17 API calls 4149->4150 4151 4022f9 4150->4151 4152 402c39 17 API calls 4151->4152 4153 402302 4152->4153 4154 402c39 17 API calls 4153->4154 4155 40230b 4154->4155 4156 4066ff 2 API calls 4155->4156 4157 402314 4156->4157 4158 402325 lstrlenA lstrlenA 4157->4158 4162 402318 4157->4162 4160 4054a9 24 API calls 4158->4160 4159 4054a9 24 API calls 4163 402320 4159->4163 4161 402361 SHFileOperationA 4160->4161 4161->4162 4161->4163 4162->4159 4162->4163 4164 4014f4 SetForegroundWindow 4165 402ac5 4164->4165 4166 402375 4167 40237c 4166->4167 4170 40238f 4166->4170 4168 40641b 17 API calls 4167->4168 4169 402389 4168->4169 4171 405a9e MessageBoxIndirectA 4169->4171 4171->4170 4172 402675 4173 402c17 17 API calls 4172->4173 4177 40267f 4173->4177 4174 4026ed 4175 405f93 ReadFile 4175->4177 4176 4026ef 4181 4062e6 wsprintfA 4176->4181 4177->4174 4177->4175 4177->4176 4178 4026ff 4177->4178 4178->4174 4180 402715 SetFilePointer 4178->4180 4180->4174 4181->4174 4182 4029f6 4183 402a49 4182->4183 4184 4029fd 4182->4184 4185 406794 5 API calls 4183->4185 4187 402c17 17 API calls 4184->4187 4190 402a47 4184->4190 4186 402a50 4185->4186 4188 402c39 17 API calls 4186->4188 4189 402a0b 4187->4189 4191 402a59 4188->4191 4192 402c17 17 API calls 4189->4192 4191->4190 4200 4063db 4191->4200 4194 402a1a 4192->4194 4199 4062e6 wsprintfA 4194->4199 4195 402a67 4195->4190 4204 4063c5 4195->4204 4199->4190 4201 4063e6 4200->4201 4202 406409 IIDFromString 4201->4202 4203 406402 4201->4203 4202->4195 4203->4195 4207 4063aa WideCharToMultiByte 4204->4207 4206 402a88 CoTaskMemFree 4206->4190 4207->4206 4208 401ef9 4209 402c39 17 API calls 4208->4209 4210 401eff 4209->4210 4211 402c39 17 API calls 4210->4211 4212 401f08 4211->4212 4213 402c39 17 API calls 4212->4213 4214 401f11 4213->4214 4215 402c39 17 API calls 4214->4215 4216 401f1a 4215->4216 4217 401423 24 API calls 4216->4217 4218 401f21 4217->4218 4225 405a64 ShellExecuteExA 4218->4225 4220 401f5c 4221 406809 5 API calls 4220->4221 4223 4027c8 4220->4223 4222 401f76 CloseHandle 4221->4222 4222->4223 4225->4220 3534 401f7b 3535 402c39 17 API calls 3534->3535 3536 401f81 3535->3536 3537 4054a9 24 API calls 3536->3537 3538 401f8b 3537->3538 3549 405a21 CreateProcessA 3538->3549 3541 401fb2 CloseHandle 3545 4027c8 3541->3545 3544 401fa6 3546 401fb4 3544->3546 3547 401fab 3544->3547 3546->3541 3557 4062e6 wsprintfA 3547->3557 3550 401f91 3549->3550 3551 405a54 CloseHandle 3549->3551 3550->3541 3550->3545 3552 406809 WaitForSingleObject 3550->3552 3551->3550 3553 406823 3552->3553 3554 406835 GetExitCodeProcess 3553->3554 3555 4067d0 2 API calls 3553->3555 3554->3544 3556 40682a WaitForSingleObject 3555->3556 3556->3553 3557->3541 4233 401ffb 4234 402c39 17 API calls 4233->4234 4235 402002 4234->4235 4236 406794 5 API calls 4235->4236 4237 402011 4236->4237 4238 402029 GlobalAlloc 4237->4238 4247 402099 4237->4247 4239 40203d 4238->4239 4238->4247 4240 406794 5 API calls 4239->4240 4241 402044 4240->4241 4242 406794 5 API calls 4241->4242 4243 40204e 4242->4243 4243->4247 4248 4062e6 wsprintfA 4243->4248 4245 402089 4249 4062e6 wsprintfA 4245->4249 4248->4245 4249->4247 3830 403a7c 3831 403a97 3830->3831 3832 403a8d CloseHandle 3830->3832 3833 403aa1 CloseHandle 3831->3833 3834 403aab 3831->3834 3832->3831 3833->3834 3839 403ad9 3834->3839 3837 405b4a 67 API calls 3838 403abc 3837->3838 3840 403ae7 3839->3840 3841 403ab0 3840->3841 3842 403aec FreeLibrary GlobalFree 3840->3842 3841->3837 3842->3841 3842->3842 4250 4018fd 4251 401934 4250->4251 4252 402c39 17 API calls 4251->4252 4253 401939 4252->4253 4254 405b4a 67 API calls 4253->4254 4255 401942 4254->4255 3843 40247e 3844 402c39 17 API calls 3843->3844 3845 402490 3844->3845 3846 402c39 17 API calls 3845->3846 3847 40249a 3846->3847 3860 402cc9 3847->3860 3850 4024cf 3854 4024db 3850->3854 3864 402c17 3850->3864 3851 402c39 17 API calls 3855 4024c8 lstrlenA 3851->3855 3852 402ac5 3853 4024fd RegSetValueExA 3858 402513 RegCloseKey 3853->3858 3854->3853 3857 4031fd 44 API calls 3854->3857 3855->3850 3857->3853 3858->3852 3861 402ce4 3860->3861 3867 40623c 3861->3867 3865 40641b 17 API calls 3864->3865 3866 402c2c 3865->3866 3866->3854 3868 40624b 3867->3868 3869 4024aa 3868->3869 3870 406256 RegCreateKeyExA 3868->3870 3869->3850 3869->3851 3869->3852 3870->3869 4256 401cfe 4257 402c17 17 API calls 4256->4257 4258 401d04 IsWindow 4257->4258 4259 401a0e 4258->4259 4260 401000 4261 401037 BeginPaint GetClientRect 4260->4261 4262 40100c DefWindowProcA 4260->4262 4264 4010f3 4261->4264 4265 401179 4262->4265 4266 401073 CreateBrushIndirect FillRect DeleteObject 4264->4266 4267 4010fc 4264->4267 4266->4264 4268 401102 CreateFontIndirectA 4267->4268 4269 401167 EndPaint 4267->4269 4268->4269 4270 401112 6 API calls 4268->4270 4269->4265 4270->4269 4271 401900 4272 402c39 17 API calls 4271->4272 4273 401907 4272->4273 4274 405a9e MessageBoxIndirectA 4273->4274 4275 401910 4274->4275 4276 402780 4277 402786 4276->4277 4278 40278a FindNextFileA 4277->4278 4281 40279c 4277->4281 4279 4027db 4278->4279 4278->4281 4282 406388 lstrcpynA 4279->4282 4282->4281 4283 401502 4284 40150a 4283->4284 4286 40151d 4283->4286 4285 402c17 17 API calls 4284->4285 4285->4286 4287 401b87 4288 401b94 4287->4288 4289 401bd8 4287->4289 4290 401c1c 4288->4290 4297 401bab 4288->4297 4291 401c01 GlobalAlloc 4289->4291 4292 401bdc 4289->4292 4294 40641b 17 API calls 4290->4294 4303 40238f 4290->4303 4293 40641b 17 API calls 4291->4293 4292->4303 4308 406388 lstrcpynA 4292->4308 4293->4290 4296 402389 4294->4296 4301 405a9e MessageBoxIndirectA 4296->4301 4306 406388 lstrcpynA 4297->4306 4298 401bee GlobalFree 4298->4303 4300 401bba 4307 406388 lstrcpynA 4300->4307 4301->4303 4304 401bc9 4309 406388 lstrcpynA 4304->4309 4306->4300 4307->4304 4308->4298 4309->4303 4310 406a88 4312 40690c 4310->4312 4311 407277 4312->4311 4313 406996 GlobalAlloc 4312->4313 4314 40698d GlobalFree 4312->4314 4315 406a04 GlobalFree 4312->4315 4316 406a0d GlobalAlloc 4312->4316 4313->4311 4313->4312 4314->4313 4315->4316 4316->4311 4316->4312 3530 401389 3532 401390 3530->3532 3531 4013fe 3532->3531 3533 4013cb MulDiv SendMessageA 3532->3533 3533->3532 4317 404e0a GetDlgItem GetDlgItem 4318 404e60 7 API calls 4317->4318 4324 405087 4317->4324 4319 404f08 DeleteObject 4318->4319 4320 404efc SendMessageA 4318->4320 4321 404f13 4319->4321 4320->4319 4322 404f4a 4321->4322 4325 40641b 17 API calls 4321->4325 4326 404405 18 API calls 4322->4326 4323 405169 4327 405215 4323->4327 4332 40507a 4323->4332 4337 4051c2 SendMessageA 4323->4337 4324->4323 4351 4050f6 4324->4351 4371 404d58 SendMessageA 4324->4371 4330 404f2c SendMessageA SendMessageA 4325->4330 4331 404f5e 4326->4331 4328 405227 4327->4328 4329 40521f SendMessageA 4327->4329 4339 405240 4328->4339 4340 405239 ImageList_Destroy 4328->4340 4348 405250 4328->4348 4329->4328 4330->4321 4336 404405 18 API calls 4331->4336 4334 40446c 8 API calls 4332->4334 4333 40515b SendMessageA 4333->4323 4338 405416 4334->4338 4352 404f6f 4336->4352 4337->4332 4342 4051d7 SendMessageA 4337->4342 4343 405249 GlobalFree 4339->4343 4339->4348 4340->4339 4341 4053ca 4341->4332 4346 4053dc ShowWindow GetDlgItem ShowWindow 4341->4346 4345 4051ea 4342->4345 4343->4348 4344 405049 GetWindowLongA SetWindowLongA 4347 405062 4344->4347 4357 4051fb SendMessageA 4345->4357 4346->4332 4349 405067 ShowWindow 4347->4349 4350 40507f 4347->4350 4348->4341 4364 40528b 4348->4364 4376 404dd8 4348->4376 4369 40443a SendMessageA 4349->4369 4370 40443a SendMessageA 4350->4370 4351->4323 4351->4333 4352->4344 4353 405044 4352->4353 4356 404fc1 SendMessageA 4352->4356 4358 405013 SendMessageA 4352->4358 4359 404fff SendMessageA 4352->4359 4353->4344 4353->4347 4356->4352 4357->4327 4358->4352 4359->4352 4361 405395 4362 4053a0 InvalidateRect 4361->4362 4365 4053ac 4361->4365 4362->4365 4363 4052b9 SendMessageA 4367 4052cf 4363->4367 4364->4363 4364->4367 4365->4341 4385 404d13 4365->4385 4366 405343 SendMessageA SendMessageA 4366->4367 4367->4361 4367->4366 4369->4332 4370->4324 4372 404db7 SendMessageA 4371->4372 4373 404d7b GetMessagePos ScreenToClient SendMessageA 4371->4373 4375 404daf 4372->4375 4374 404db4 4373->4374 4373->4375 4374->4372 4375->4351 4388 406388 lstrcpynA 4376->4388 4378 404deb 4389 4062e6 wsprintfA 4378->4389 4380 404df5 4381 40140b 2 API calls 4380->4381 4382 404dfe 4381->4382 4390 406388 lstrcpynA 4382->4390 4384 404e05 4384->4364 4391 404c4e 4385->4391 4387 404d28 4387->4341 4388->4378 4389->4380 4390->4384 4392 404c64 4391->4392 4393 40641b 17 API calls 4392->4393 4394 404cc8 4393->4394 4395 40641b 17 API calls 4394->4395 4396 404cd3 4395->4396 4397 40641b 17 API calls 4396->4397 4398 404ce9 lstrlenA wsprintfA SetDlgItemTextA 4397->4398 4398->4387 4399 40298a 4400 402c17 17 API calls 4399->4400 4401 402990 4400->4401 4402 4027c8 4401->4402 4403 40641b 17 API calls 4401->4403 4403->4402 4404 403f0b 4405 403f23 4404->4405 4406 404084 4404->4406 4405->4406 4407 403f2f 4405->4407 4408 4040d5 4406->4408 4409 404095 GetDlgItem GetDlgItem 4406->4409 4411 403f3a SetWindowPos 4407->4411 4412 403f4d 4407->4412 4410 40412f 4408->4410 4421 401389 2 API calls 4408->4421 4413 404405 18 API calls 4409->4413 4414 404451 SendMessageA 4410->4414 4422 40407f 4410->4422 4411->4412 4415 403f56 ShowWindow 4412->4415 4416 403f98 4412->4416 4417 4040bf SetClassLongA 4413->4417 4444 404141 4414->4444 4423 404042 4415->4423 4424 403f76 GetWindowLongA 4415->4424 4418 403fa0 DestroyWindow 4416->4418 4419 403fb7 4416->4419 4420 40140b 2 API calls 4417->4420 4425 40438e 4418->4425 4426 403fbc SetWindowLongA 4419->4426 4427 403fcd 4419->4427 4420->4408 4428 404107 4421->4428 4429 40446c 8 API calls 4423->4429 4424->4423 4430 403f8f ShowWindow 4424->4430 4425->4422 4437 4043bf ShowWindow 4425->4437 4426->4422 4427->4423 4431 403fd9 GetDlgItem 4427->4431 4428->4410 4432 40410b SendMessageA 4428->4432 4429->4422 4430->4416 4435 404007 4431->4435 4436 403fea SendMessageA IsWindowEnabled 4431->4436 4432->4422 4433 40140b 2 API calls 4433->4444 4434 404390 DestroyWindow EndDialog 4434->4425 4439 404014 4435->4439 4442 40405b SendMessageA 4435->4442 4443 404027 4435->4443 4449 40400c 4435->4449 4436->4422 4436->4435 4437->4422 4438 40641b 17 API calls 4438->4444 4439->4442 4439->4449 4440 4043de SendMessageA 4440->4423 4441 404405 18 API calls 4441->4444 4442->4423 4445 404044 4443->4445 4446 40402f 4443->4446 4444->4422 4444->4433 4444->4434 4444->4438 4444->4441 4450 404405 18 API calls 4444->4450 4466 4042d0 DestroyWindow 4444->4466 4447 40140b 2 API calls 4445->4447 4448 40140b 2 API calls 4446->4448 4447->4449 4448->4449 4449->4423 4449->4440 4451 4041bc GetDlgItem 4450->4451 4452 4041d1 4451->4452 4453 4041d9 ShowWindow EnableWindow 4451->4453 4452->4453 4475 404427 EnableWindow 4453->4475 4455 404203 EnableWindow 4460 404217 4455->4460 4456 40421c GetSystemMenu EnableMenuItem SendMessageA 4457 40424c SendMessageA 4456->4457 4456->4460 4457->4460 4459 403eec 18 API calls 4459->4460 4460->4456 4460->4459 4476 40443a SendMessageA 4460->4476 4477 406388 lstrcpynA 4460->4477 4462 40427b lstrlenA 4463 40641b 17 API calls 4462->4463 4464 40428c SetWindowTextA 4463->4464 4465 401389 2 API calls 4464->4465 4465->4444 4466->4425 4467 4042ea CreateDialogParamA 4466->4467 4467->4425 4468 40431d 4467->4468 4469 404405 18 API calls 4468->4469 4470 404328 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4469->4470 4471 401389 2 API calls 4470->4471 4472 40436e 4471->4472 4472->4422 4473 404376 ShowWindow 4472->4473 4474 404451 SendMessageA 4473->4474 4474->4425 4475->4455 4476->4460 4477->4462 4478 40260c 4479 402c39 17 API calls 4478->4479 4480 402613 4479->4480 4483 405f1b GetFileAttributesA CreateFileA 4480->4483 4482 40261f 4483->4482 4484 401490 4485 4054a9 24 API calls 4484->4485 4486 401497 4485->4486 4487 402590 4497 402c79 4487->4497 4490 402c17 17 API calls 4491 4025a3 4490->4491 4492 4025ca RegEnumValueA 4491->4492 4493 4025be RegEnumKeyA 4491->4493 4495 4027c8 4491->4495 4494 4025df RegCloseKey 4492->4494 4493->4494 4494->4495 4498 402c39 17 API calls 4497->4498 4499 402c90 4498->4499 4500 40620e RegOpenKeyExA 4499->4500 4501 40259a 4500->4501 4501->4490 4509 404897 4510 4048c3 4509->4510 4511 4048d4 4509->4511 4570 405a82 GetDlgItemTextA 4510->4570 4512 4048e0 GetDlgItem 4511->4512 4520 40493f 4511->4520 4514 4048f4 4512->4514 4518 404908 SetWindowTextA 4514->4518 4523 405db3 4 API calls 4514->4523 4515 404a23 4519 404bcd 4515->4519 4572 405a82 GetDlgItemTextA 4515->4572 4516 4048ce 4517 406666 5 API calls 4516->4517 4517->4511 4524 404405 18 API calls 4518->4524 4522 40446c 8 API calls 4519->4522 4520->4515 4520->4519 4525 40641b 17 API calls 4520->4525 4527 404be1 4522->4527 4528 4048fe 4523->4528 4529 404924 4524->4529 4530 4049b3 SHBrowseForFolderA 4525->4530 4526 404a53 4531 405e08 18 API calls 4526->4531 4528->4518 4535 405d1a 3 API calls 4528->4535 4532 404405 18 API calls 4529->4532 4530->4515 4533 4049cb CoTaskMemFree 4530->4533 4534 404a59 4531->4534 4536 404932 4532->4536 4537 405d1a 3 API calls 4533->4537 4573 406388 lstrcpynA 4534->4573 4535->4518 4571 40443a SendMessageA 4536->4571 4539 4049d8 4537->4539 4543 404a0f SetDlgItemTextA 4539->4543 4546 40641b 17 API calls 4539->4546 4541 404a70 4545 406794 5 API calls 4541->4545 4542 404938 4544 406794 5 API calls 4542->4544 4543->4515 4544->4520 4552 404a77 4545->4552 4547 4049f7 lstrcmpiA 4546->4547 4547->4543 4549 404a08 lstrcatA 4547->4549 4548 404ab3 4574 406388 lstrcpynA 4548->4574 4549->4543 4551 404aba 4553 405db3 4 API calls 4551->4553 4552->4548 4557 405d61 2 API calls 4552->4557 4558 404b0b 4552->4558 4554 404ac0 GetDiskFreeSpaceA 4553->4554 4556 404ae4 MulDiv 4554->4556 4554->4558 4556->4558 4557->4552 4559 404b7c 4558->4559 4561 404d13 20 API calls 4558->4561 4560 404b9f 4559->4560 4563 40140b 2 API calls 4559->4563 4575 404427 EnableWindow 4560->4575 4562 404b69 4561->4562 4564 404b7e SetDlgItemTextA 4562->4564 4565 404b6e 4562->4565 4563->4560 4564->4559 4567 404c4e 20 API calls 4565->4567 4567->4559 4568 404bbb 4568->4519 4569 4047f0 SendMessageA 4568->4569 4569->4519 4570->4516 4571->4542 4572->4526 4573->4541 4574->4551 4575->4568 4576 40541d 4577 405441 4576->4577 4578 40542d 4576->4578 4580 405449 IsWindowVisible 4577->4580 4586 405460 4577->4586 4579 405433 4578->4579 4588 40548a 4578->4588 4582 404451 SendMessageA 4579->4582 4583 405456 4580->4583 4580->4588 4581 40548f CallWindowProcA 4584 40543d 4581->4584 4582->4584 4585 404d58 5 API calls 4583->4585 4585->4586 4586->4581 4587 404dd8 4 API calls 4586->4587 4587->4588 4588->4581 4589 40149d 4590 4014ab PostQuitMessage 4589->4590 4591 40238f 4589->4591 4590->4591 4592 40159d 4593 402c39 17 API calls 4592->4593 4594 4015a4 SetFileAttributesA 4593->4594 4595 4015b6 4594->4595 4596 401a1e 4597 402c39 17 API calls 4596->4597 4598 401a27 ExpandEnvironmentStringsA 4597->4598 4599 401a3b 4598->4599 4601 401a4e 4598->4601 4600 401a40 lstrcmpA 4599->4600 4599->4601 4600->4601 4602 40251e 4603 402c79 17 API calls 4602->4603 4604 402528 4603->4604 4605 402c39 17 API calls 4604->4605 4606 402531 4605->4606 4607 4027c8 4606->4607 4608 40253b RegQueryValueExA 4606->4608 4609 40255b 4608->4609 4612 402561 RegCloseKey 4608->4612 4609->4612 4613 4062e6 wsprintfA 4609->4613 4612->4607 4613->4612 4619 40171f 4620 402c39 17 API calls 4619->4620 4621 401726 SearchPathA 4620->4621 4622 401741 4621->4622 4623 401d1f 4624 402c17 17 API calls 4623->4624 4625 401d26 4624->4625 4626 402c17 17 API calls 4625->4626 4627 401d32 GetDlgItem 4626->4627 4628 402628 4627->4628 4629 402aa0 SendMessageA 4630 402ac5 4629->4630 4631 402aba InvalidateRect 4629->4631 4631->4630 4632 4023a4 4633 4023b2 4632->4633 4634 4023ac 4632->4634 4636 402c39 17 API calls 4633->4636 4638 4023c2 4633->4638 4635 402c39 17 API calls 4634->4635 4635->4633 4636->4638 4637 4023d0 4640 402c39 17 API calls 4637->4640 4638->4637 4639 402c39 17 API calls 4638->4639 4639->4637 4641 4023d9 WritePrivateProfileStringA 4640->4641 3363 4020a5 3364 4020b7 3363->3364 3365 402165 3363->3365 3366 402c39 17 API calls 3364->3366 3368 401423 24 API calls 3365->3368 3367 4020be 3366->3367 3369 402c39 17 API calls 3367->3369 3374 4022ea 3368->3374 3370 4020c7 3369->3370 3371 4020dc LoadLibraryExA 3370->3371 3372 4020cf GetModuleHandleA 3370->3372 3371->3365 3373 4020ec GetProcAddress 3371->3373 3372->3371 3372->3373 3375 402138 3373->3375 3376 4020fb 3373->3376 3377 4054a9 24 API calls 3375->3377 3379 40210b 3376->3379 3381 401423 3376->3381 3377->3379 3379->3374 3380 402159 FreeLibrary 3379->3380 3380->3374 3382 4054a9 24 API calls 3381->3382 3383 401431 3382->3383 3383->3379 4642 402e25 4643 402e34 SetTimer 4642->4643 4644 402e4d 4642->4644 4643->4644 4645 402e9b 4644->4645 4646 402ea1 MulDiv 4644->4646 4647 402e5b wsprintfA SetWindowTextA SetDlgItemTextA 4646->4647 4647->4645 4656 402429 4657 402430 4656->4657 4658 40245b 4656->4658 4659 402c79 17 API calls 4657->4659 4660 402c39 17 API calls 4658->4660 4661 402437 4659->4661 4662 402462 4660->4662 4664 402c39 17 API calls 4661->4664 4665 40246f 4661->4665 4667 402cf7 4662->4667 4666 402448 RegDeleteValueA RegCloseKey 4664->4666 4666->4665 4668 402d03 4667->4668 4669 402d0a 4667->4669 4668->4665 4669->4668 4671 402d3b 4669->4671 4672 40620e RegOpenKeyExA 4671->4672 4673 402d69 4672->4673 4674 402d79 RegEnumValueA 4673->4674 4675 402d9c 4673->4675 4682 402e13 4673->4682 4674->4675 4676 402e03 RegCloseKey 4674->4676 4675->4676 4677 402dd8 RegEnumKeyA 4675->4677 4678 402de1 RegCloseKey 4675->4678 4680 402d3b 6 API calls 4675->4680 4676->4682 4677->4675 4677->4678 4679 406794 5 API calls 4678->4679 4681 402df1 4679->4681 4680->4675 4681->4682 4683 402df5 RegDeleteKeyA 4681->4683 4682->4668 4683->4682 4684 4027aa 4685 402c39 17 API calls 4684->4685 4686 4027b1 FindFirstFileA 4685->4686 4687 4027d4 4686->4687 4688 4027c4 4686->4688 4689 4027db 4687->4689 4692 4062e6 wsprintfA 4687->4692 4693 406388 lstrcpynA 4689->4693 4692->4689 4693->4688 4694 403b2c 4695 403b37 4694->4695 4696 403b3b 4695->4696 4697 403b3e GlobalAlloc 4695->4697 4697->4696 4698 401c2e 4699 402c17 17 API calls 4698->4699 4700 401c35 4699->4700 4701 402c17 17 API calls 4700->4701 4702 401c42 4701->4702 4703 402c39 17 API calls 4702->4703 4704 401c57 4702->4704 4703->4704 4705 401c67 4704->4705 4706 402c39 17 API calls 4704->4706 4707 401c72 4705->4707 4708 401cbe 4705->4708 4706->4705 4710 402c17 17 API calls 4707->4710 4709 402c39 17 API calls 4708->4709 4711 401cc3 4709->4711 4712 401c77 4710->4712 4713 402c39 17 API calls 4711->4713 4714 402c17 17 API calls 4712->4714 4715 401ccc FindWindowExA 4713->4715 4716 401c83 4714->4716 4719 401cea 4715->4719 4717 401c90 SendMessageTimeoutA 4716->4717 4718 401cae SendMessageA 4716->4718 4717->4719 4718->4719 4720 40262e 4721 402633 4720->4721 4722 402647 4720->4722 4723 402c17 17 API calls 4721->4723 4724 402c39 17 API calls 4722->4724 4726 40263c 4723->4726 4725 40264e lstrlenA 4724->4725 4725->4726 4727 402670 4726->4727 4728 405fc2 WriteFile 4726->4728 4728->4727 3175 401932 3176 401934 3175->3176 3181 402c39 3176->3181 3182 402c45 3181->3182 3224 40641b 3182->3224 3185 401939 3187 405b4a 3185->3187 3266 405e08 3187->3266 3190 405b72 DeleteFileA 3220 401942 3190->3220 3191 405b89 3192 405cb7 3191->3192 3280 406388 lstrcpynA 3191->3280 3192->3220 3309 4066ff FindFirstFileA 3192->3309 3194 405baf 3195 405bc2 3194->3195 3196 405bb5 lstrcatA 3194->3196 3281 405d61 lstrlenA 3195->3281 3198 405bc8 3196->3198 3201 405bd6 lstrcatA 3198->3201 3202 405be1 lstrlenA FindFirstFileA 3198->3202 3201->3202 3202->3192 3210 405c05 3202->3210 3205 405d45 CharNextA 3205->3210 3206 405b02 5 API calls 3207 405cf1 3206->3207 3208 405cf5 3207->3208 3209 405d0b 3207->3209 3215 4054a9 24 API calls 3208->3215 3208->3220 3213 4054a9 24 API calls 3209->3213 3210->3205 3211 405c96 FindNextFileA 3210->3211 3219 405b4a 60 API calls 3210->3219 3221 4054a9 24 API calls 3210->3221 3285 406388 lstrcpynA 3210->3285 3286 405b02 3210->3286 3294 4054a9 3210->3294 3305 406161 MoveFileExA 3210->3305 3211->3210 3214 405cae FindClose 3211->3214 3213->3220 3214->3192 3216 405d02 3215->3216 3217 406161 36 API calls 3216->3217 3217->3220 3219->3210 3221->3211 3228 406428 3224->3228 3225 40664d 3226 402c66 3225->3226 3257 406388 lstrcpynA 3225->3257 3226->3185 3241 406666 3226->3241 3228->3225 3229 406627 lstrlenA 3228->3229 3232 40641b 10 API calls 3228->3232 3234 406543 GetSystemDirectoryA 3228->3234 3235 406556 GetWindowsDirectoryA 3228->3235 3236 406666 5 API calls 3228->3236 3237 40658a SHGetSpecialFolderLocation 3228->3237 3238 40641b 10 API calls 3228->3238 3239 4065d0 lstrcatA 3228->3239 3250 40626f 3228->3250 3255 4062e6 wsprintfA 3228->3255 3256 406388 lstrcpynA 3228->3256 3229->3228 3232->3229 3234->3228 3235->3228 3236->3228 3237->3228 3240 4065a2 SHGetPathFromIDListA CoTaskMemFree 3237->3240 3238->3228 3239->3228 3240->3228 3248 406672 3241->3248 3242 4066da 3243 4066de CharPrevA 3242->3243 3246 4066f9 3242->3246 3243->3242 3244 4066cf CharNextA 3244->3242 3244->3248 3246->3185 3247 4066bd CharNextA 3247->3248 3248->3242 3248->3244 3248->3247 3249 4066ca CharNextA 3248->3249 3262 405d45 3248->3262 3249->3244 3258 40620e 3250->3258 3253 4062a3 RegQueryValueExA RegCloseKey 3254 4062d2 3253->3254 3254->3228 3255->3228 3256->3228 3257->3226 3259 40621d 3258->3259 3260 406221 3259->3260 3261 406226 RegOpenKeyExA 3259->3261 3260->3253 3260->3254 3261->3260 3263 405d4b 3262->3263 3264 405d5e 3263->3264 3265 405d51 CharNextA 3263->3265 3264->3248 3265->3263 3315 406388 lstrcpynA 3266->3315 3268 405e19 3316 405db3 CharNextA CharNextA 3268->3316 3271 405b6a 3271->3190 3271->3191 3272 406666 5 API calls 3278 405e2f 3272->3278 3273 405e5a lstrlenA 3274 405e65 3273->3274 3273->3278 3276 405d1a 3 API calls 3274->3276 3275 4066ff 2 API calls 3275->3278 3277 405e6a GetFileAttributesA 3276->3277 3277->3271 3278->3271 3278->3273 3278->3275 3279 405d61 2 API calls 3278->3279 3279->3273 3280->3194 3282 405d6e 3281->3282 3283 405d73 CharPrevA 3282->3283 3284 405d7f 3282->3284 3283->3282 3283->3284 3284->3198 3285->3210 3322 405ef6 GetFileAttributesA 3286->3322 3289 405b2f 3289->3210 3290 405b25 DeleteFileA 3292 405b2b 3290->3292 3291 405b1d RemoveDirectoryA 3291->3292 3292->3289 3293 405b3b SetFileAttributesA 3292->3293 3293->3289 3295 4054c4 3294->3295 3304 405567 3294->3304 3296 4054e1 lstrlenA 3295->3296 3297 40641b 17 API calls 3295->3297 3298 40550a 3296->3298 3299 4054ef lstrlenA 3296->3299 3297->3296 3301 405510 SetWindowTextA 3298->3301 3302 40551d 3298->3302 3300 405501 lstrcatA 3299->3300 3299->3304 3300->3298 3301->3302 3303 405523 SendMessageA SendMessageA SendMessageA 3302->3303 3302->3304 3303->3304 3304->3210 3306 406182 3305->3306 3307 406175 3305->3307 3306->3210 3325 405ff1 3307->3325 3310 405cdb 3309->3310 3311 406715 FindClose 3309->3311 3310->3220 3312 405d1a lstrlenA CharPrevA 3310->3312 3311->3310 3313 405d34 lstrcatA 3312->3313 3314 405ce5 3312->3314 3313->3314 3314->3206 3315->3268 3317 405dde 3316->3317 3318 405dce 3316->3318 3320 405d45 CharNextA 3317->3320 3321 405dfe 3317->3321 3318->3317 3319 405dd9 CharNextA 3318->3319 3319->3321 3320->3317 3321->3271 3321->3272 3323 405b0e 3322->3323 3324 405f08 SetFileAttributesA 3322->3324 3323->3289 3323->3290 3323->3291 3324->3323 3326 406017 3325->3326 3327 40603d GetShortPathNameA 3325->3327 3352 405f1b GetFileAttributesA CreateFileA 3326->3352 3329 406052 3327->3329 3330 40615c 3327->3330 3329->3330 3332 40605a wsprintfA 3329->3332 3330->3306 3331 406021 CloseHandle GetShortPathNameA 3331->3330 3333 406035 3331->3333 3334 40641b 17 API calls 3332->3334 3333->3327 3333->3330 3335 406082 3334->3335 3353 405f1b GetFileAttributesA CreateFileA 3335->3353 3337 40608f 3337->3330 3338 40609e GetFileSize GlobalAlloc 3337->3338 3339 4060c0 3338->3339 3340 406155 CloseHandle 3338->3340 3354 405f93 ReadFile 3339->3354 3340->3330 3345 4060f3 3347 405e80 4 API calls 3345->3347 3346 4060df lstrcpyA 3348 406101 3346->3348 3347->3348 3349 406138 SetFilePointer 3348->3349 3361 405fc2 WriteFile 3349->3361 3352->3331 3353->3337 3355 405fb1 3354->3355 3355->3340 3356 405e80 lstrlenA 3355->3356 3357 405ec1 lstrlenA 3356->3357 3358 405ec9 3357->3358 3359 405e9a lstrcmpiA 3357->3359 3358->3345 3358->3346 3359->3358 3360 405eb8 CharNextA 3359->3360 3360->3357 3362 405fe0 GlobalFree 3361->3362 3362->3340 4729 402733 4730 40273a 4729->4730 4733 402a47 4729->4733 4731 402c17 17 API calls 4730->4731 4732 402741 4731->4732 4734 402750 SetFilePointer 4732->4734 4734->4733 4735 402760 4734->4735 4737 4062e6 wsprintfA 4735->4737 4737->4733 4738 401e35 GetDC 4739 402c17 17 API calls 4738->4739 4740 401e47 GetDeviceCaps MulDiv ReleaseDC 4739->4740 4741 402c17 17 API calls 4740->4741 4742 401e78 4741->4742 4743 40641b 17 API calls 4742->4743 4744 401eb5 CreateFontIndirectA 4743->4744 4745 402628 4744->4745 4746 4014b7 4747 4014bd 4746->4747 4748 401389 2 API calls 4747->4748 4749 4014c5 4748->4749 3558 4015bb 3559 402c39 17 API calls 3558->3559 3560 4015c2 3559->3560 3561 405db3 4 API calls 3560->3561 3574 4015ca 3561->3574 3562 401624 3564 401652 3562->3564 3565 401629 3562->3565 3563 405d45 CharNextA 3563->3574 3567 401423 24 API calls 3564->3567 3566 401423 24 API calls 3565->3566 3568 401630 3566->3568 3575 40164a 3567->3575 3585 406388 lstrcpynA 3568->3585 3572 40163b SetCurrentDirectoryA 3572->3575 3573 40160c GetFileAttributesA 3573->3574 3574->3562 3574->3563 3574->3573 3577 405a09 3574->3577 3580 40596f CreateDirectoryA 3574->3580 3586 4059ec CreateDirectoryA 3574->3586 3589 406794 GetModuleHandleA 3577->3589 3581 4059c0 GetLastError 3580->3581 3582 4059bc 3580->3582 3581->3582 3583 4059cf SetFileSecurityA 3581->3583 3582->3574 3583->3582 3584 4059e5 GetLastError 3583->3584 3584->3582 3585->3572 3587 405a00 GetLastError 3586->3587 3588 4059fc 3586->3588 3587->3588 3588->3574 3590 4067b0 3589->3590 3591 4067ba GetProcAddress 3589->3591 3595 406726 GetSystemDirectoryA 3590->3595 3593 405a10 3591->3593 3593->3574 3594 4067b6 3594->3591 3594->3593 3596 406748 wsprintfA LoadLibraryExA 3595->3596 3596->3594 4750 40453b lstrcpynA lstrlenA 4751 4016bb 4752 402c39 17 API calls 4751->4752 4753 4016c1 GetFullPathNameA 4752->4753 4754 4016d8 4753->4754 4760 4016f9 4753->4760 4756 4066ff 2 API calls 4754->4756 4754->4760 4755 40170d GetShortPathNameA 4757 402ac5 4755->4757 4758 4016e9 4756->4758 4758->4760 4761 406388 lstrcpynA 4758->4761 4760->4755 4760->4757 4761->4760 4762 406ebd 4764 40690c 4762->4764 4763 407277 4764->4763 4764->4764 4765 406996 GlobalAlloc 4764->4765 4766 40698d GlobalFree 4764->4766 4767 406a04 GlobalFree 4764->4767 4768 406a0d GlobalAlloc 4764->4768 4765->4763 4765->4764 4766->4765 4767->4768 4768->4763 4768->4764

                                                    Executed Functions

                                                    Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417stringfilecomCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 4034cc-40351c SetErrorMode GetVersionExA 1 40355d 0->1 2 40351e-403538 GetVersionExA 0->2 3 403564 1->3 2->3 4 40353a-403559 2->4 5 403566-403571 3->5 6 403588-40358f 3->6 4->1 7 403573-403582 5->7 8 403584 5->8 9 403591 6->9 10 403599-4035d9 6->10 7->6 8->6 9->10 11 4035db-4035e3 call 406794 10->11 12 4035ec 10->12 11->12 17 4035e5 11->17 14 4035f1-403605 call 406726 lstrlenA 12->14 19 403607-403623 call 406794 * 3 14->19 17->12 26 403634-403694 #17 OleInitialize SHGetFileInfoA call 406388 GetCommandLineA call 406388 19->26 27 403625-40362b 19->27 34 403696-40369a 26->34 35 40369f-4036b2 call 405d45 CharNextA 26->35 27->26 31 40362d 27->31 31->26 34->35 38 403773-403777 35->38 39 4036b7-4036ba 38->39 40 40377d 38->40 41 4036c2-4036c9 39->41 42 4036bc-4036c0 39->42 43 403791-4037ab GetTempPathA call 40349b 40->43 44 4036d0-4036d3 41->44 45 4036cb-4036cc 41->45 42->41 42->42 53 403803-40381b DeleteFileA call 402f5c 43->53 54 4037ad-4037cb GetWindowsDirectoryA lstrcatA call 40349b 43->54 47 403764-403770 call 405d45 44->47 48 4036d9-4036dd 44->48 45->44 47->38 63 403772 47->63 51 4036f5-403722 48->51 52 4036df-4036e5 48->52 59 403734-403762 51->59 60 403724-40372a 51->60 57 4036e7-4036e9 52->57 58 4036eb 52->58 68 403821-403827 53->68 69 4038ae-4038bf ExitProcess OleUninitialize 53->69 54->53 71 4037cd-4037fd GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40349b 54->71 57->51 57->58 58->51 59->47 62 40377f-40378c call 406388 59->62 65 403730 60->65 66 40372c-40372e 60->66 62->43 63->38 65->59 66->59 66->65 73 403829-403834 call 405d45 68->73 74 40389f-4038a6 call 403b6e 68->74 75 4038c5-4038d4 call 405a9e ExitProcess 69->75 76 4039e8-4039ee 69->76 71->53 71->69 91 403836-40385f 73->91 92 40386a-403873 73->92 83 4038ab 74->83 81 4039f0-403a05 GetCurrentProcess OpenProcessToken 76->81 82 403a66-403a6e 76->82 88 403a36-403a44 call 406794 81->88 89 403a07-403a30 LookupPrivilegeValueA AdjustTokenPrivileges 81->89 85 403a70 82->85 86 403a73-403a76 ExitProcess 82->86 83->69 85->86 97 403a52-403a5d ExitWindowsEx 88->97 98 403a46-403a50 88->98 89->88 94 403861-403863 91->94 95 403875-403883 call 405e08 92->95 96 4038da-4038ee call 405a09 lstrcatA 92->96 94->92 99 403865-403868 94->99 95->69 105 403885-40389b call 406388 * 2 95->105 108 4038f0-4038f6 lstrcatA 96->108 109 4038fb-403915 lstrcatA lstrcmpiA 96->109 97->82 102 403a5f-403a61 call 40140b 97->102 98->97 98->102 99->92 99->94 102->82 105->74 108->109 109->69 111 403917-40391a 109->111 113 403923 call 4059ec 111->113 114 40391c-403921 call 40596f 111->114 120 403928-403936 SetCurrentDirectoryA 113->120 114->120 121 403943-40396e call 406388 120->121 122 403938-40393e call 406388 120->122 126 403974-403991 call 40641b DeleteFileA 121->126 122->121 129 4039d1-4039da 126->129 130 403993-4039a3 CopyFileA 126->130 129->126 132 4039dc-4039e3 call 406161 129->132 130->129 131 4039a5-4039c5 call 406161 call 40641b call 405a21 130->131 131->129 141 4039c7-4039ce CloseHandle 131->141 132->69 141->129
                                                    APIs
                                                    • SetErrorMode.KERNELBASE(00008001), ref: 004034EF
                                                    • GetVersionExA.KERNEL32(?), ref: 00403518
                                                    • GetVersionExA.KERNEL32(0000009C), ref: 0040352F
                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
                                                    • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
                                                    • OleInitialize.OLE32(00000000), ref: 0040363C
                                                    • SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
                                                    • GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
                                                    • CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\setup.exe",00000020,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,00000007,00000009,0000000B), ref: 004036A9
                                                    • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
                                                    • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
                                                    • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
                                                    • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
                                                    • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403808
                                                    • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
                                                    • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
                                                    • ExitProcess.KERNEL32 ref: 004038D4
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403901
                                                    • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
                                                    • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
                                                    • DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
                                                    • CopyFileA.KERNEL32 ref: 0040399B
                                                    • CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
                                                    • ExitProcess.KERNEL32 ref: 00403A76
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                    • String ID: "$"C:\Users\user\AppData\Local\Temp\setup.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                    • API String ID: 2882342585-3053247857
                                                    • Opcode ID: 912f83a836eb1fe613a791148bb63afd1bd4364e3d9f696fa0d110b9325e2922
                                                    • Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
                                                    • Opcode Fuzzy Hash: 912f83a836eb1fe613a791148bb63afd1bd4364e3d9f696fa0d110b9325e2922
                                                    • Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E
                                                    Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 351 405b4a-405b70 call 405e08 354 405b72-405b84 DeleteFileA 351->354 355 405b89-405b90 351->355 356 405d13-405d17 354->356 357 405b92-405b94 355->357 358 405ba3-405bb3 call 406388 355->358 359 405cc1-405cc6 357->359 360 405b9a-405b9d 357->360 364 405bc2-405bc3 call 405d61 358->364 365 405bb5-405bc0 lstrcatA 358->365 359->356 363 405cc8-405ccb 359->363 360->358 360->359 366 405cd5-405cdd call 4066ff 363->366 367 405ccd-405cd3 363->367 369 405bc8-405bcb 364->369 365->369 366->356 374 405cdf-405cf3 call 405d1a call 405b02 366->374 367->356 372 405bd6-405bdc lstrcatA 369->372 373 405bcd-405bd4 369->373 375 405be1-405bff lstrlenA FindFirstFileA 372->375 373->372 373->375 390 405cf5-405cf8 374->390 391 405d0b-405d0e call 4054a9 374->391 377 405c05-405c1c call 405d45 375->377 378 405cb7-405cbb 375->378 384 405c27-405c2a 377->384 385 405c1e-405c22 377->385 378->359 380 405cbd 378->380 380->359 388 405c2c-405c31 384->388 389 405c3d-405c4b call 406388 384->389 385->384 387 405c24 385->387 387->384 392 405c33-405c35 388->392 393 405c96-405ca8 FindNextFileA 388->393 401 405c62-405c6d call 405b02 389->401 402 405c4d-405c55 389->402 390->367 395 405cfa-405d09 call 4054a9 call 406161 390->395 391->356 392->389 397 405c37-405c3b 392->397 393->377 399 405cae-405cb1 FindClose 393->399 395->356 397->389 397->393 399->378 410 405c8e-405c91 call 4054a9 401->410 411 405c6f-405c72 401->411 402->393 404 405c57-405c60 call 405b4a 402->404 404->393 410->393 413 405c74-405c84 call 4054a9 call 406161 411->413 414 405c86-405c8c 411->414 413->393 414->393
                                                    APIs
                                                    • DeleteFileA.KERNELBASE(?,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405B73
                                                    • lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BBB
                                                    • lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BDC
                                                    • lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BE2
                                                    • FindFirstFileA.KERNELBASE(00421D58,?,?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BF3
                                                    • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
                                                    • FindClose.KERNEL32(00000000), ref: 00405CB1
                                                    Strings
                                                    • "C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00405B53
                                                    • \*.*, xrefs: 00405BB5
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                    • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$\*.*
                                                    • API String ID: 2035342205-2936579034
                                                    • Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                    • Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
                                                    • Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                    • Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69
                                                    Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 583 406a88-406a8d 584 406afe-406b1c 583->584 585 406a8f-406abe 583->585 586 4070f4-407109 584->586 587 406ac0-406ac3 585->587 588 406ac5-406ac9 585->588 589 407123-407139 586->589 590 40710b-407121 586->590 591 406ad5-406ad8 587->591 592 406ad1 588->592 593 406acb-406acf 588->593 594 40713c-407143 589->594 590->594 595 406af6-406af9 591->595 596 406ada-406ae3 591->596 592->591 593->591 600 407145-407149 594->600 601 40716a-407176 594->601 599 406ccb-406ce9 595->599 597 406ae5 596->597 598 406ae8-406af4 596->598 597->598 602 406b5e-406b8c 598->602 606 406d01-406d13 599->606 607 406ceb-406cff 599->607 603 4072f8-407302 600->603 604 40714f-407167 600->604 611 40690c-406915 601->611 609 406ba8-406bc2 602->609 610 406b8e-406ba6 602->610 608 40730e-407321 603->608 604->601 612 406d16-406d20 606->612 607->612 616 407326-40732a 608->616 615 406bc5-406bcf 609->615 610->615 613 407323 611->613 614 40691b 611->614 617 406d22 612->617 618 406cc3-406cc9 612->618 613->616 621 406922-406926 614->621 622 406a62-406a83 614->622 623 4069c7-4069cb 614->623 624 406a37-406a3b 614->624 626 406bd5 615->626 627 406b46-406b4c 615->627 619 406e33-406e40 617->619 620 406c9e-406ca2 617->620 618->599 625 406c67-406c71 618->625 619->611 630 406e8f-406e9e 619->630 635 406ca8-406cc0 620->635 636 4072aa-4072b4 620->636 621->608 637 40692c-406939 621->637 622->586 628 4069d1-4069ea 623->628 629 407277-407281 623->629 638 406a41-406a55 624->638 639 407286-407290 624->639 631 4072b6-4072c0 625->631 632 406c77-406c99 625->632 645 407292-40729c 626->645 646 406b2b-406b43 626->646 633 406b52-406b58 627->633 634 406bff-406c05 627->634 644 4069ed-4069f1 628->644 629->608 630->586 631->608 632->619 633->602 641 406c63 633->641 634->641 642 406c07-406c25 634->642 635->618 636->608 637->613 643 40693f-406985 637->643 647 406a58-406a60 638->647 639->608 641->625 648 406c27-406c3b 642->648 649 406c3d-406c4f 642->649 651 406987-40698b 643->651 652 4069ad-4069af 643->652 644->623 650 4069f3-4069f9 644->650 645->608 646->627 647->622 647->624 653 406c52-406c5c 648->653 649->653 658 406a23-406a35 650->658 659 4069fb-406a02 650->659 654 406996-4069a4 GlobalAlloc 651->654 655 40698d-406990 GlobalFree 651->655 656 4069b1-4069bb 652->656 657 4069bd-4069c5 652->657 653->634 660 406c5e 653->660 654->613 663 4069aa 654->663 655->654 656->656 656->657 657->644 658->647 661 406a04-406a07 GlobalFree 659->661 662 406a0d-406a1d GlobalAlloc 659->662 665 406be4-406bfc 660->665 666 40729e-4072a8 660->666 661->662 662->613 662->658 663->652 665->634 666->608
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                    • Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
                                                    • Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                    • Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45
                                                    Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNELBASE(75923410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 0040670A
                                                    • FindClose.KERNEL32(00000000), ref: 00406716
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID: C:\
                                                    • API String ID: 2295610775-3404278061
                                                    • Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                    • Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
                                                    • Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                    • Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC
                                                    Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215stringregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 142 403b6e-403b86 call 406794 145 403b88-403b98 call 4062e6 142->145 146 403b9a-403bcb call 40626f 142->146 154 403bee-403c17 call 403e33 call 405e08 145->154 150 403be3-403be9 lstrcatA 146->150 151 403bcd-403bde call 40626f 146->151 150->154 151->150 160 403c1d-403c22 154->160 161 403c9e-403ca6 call 405e08 154->161 160->161 162 403c24-403c48 call 40626f 160->162 166 403cb4-403cd9 LoadImageA 161->166 167 403ca8-403caf call 40641b 161->167 162->161 172 403c4a-403c4c 162->172 170 403d5a-403d62 call 40140b 166->170 171 403cdb-403d0b RegisterClassA 166->171 167->166 185 403d64-403d67 170->185 186 403d6c-403d77 call 403e33 170->186 175 403d11-403d55 SystemParametersInfoA CreateWindowExA 171->175 176 403e29 171->176 173 403c5d-403c69 lstrlenA 172->173 174 403c4e-403c5b call 405d45 172->174 180 403c91-403c99 call 405d1a call 406388 173->180 181 403c6b-403c79 lstrcmpiA 173->181 174->173 175->170 179 403e2b-403e32 176->179 180->161 181->180 184 403c7b-403c85 GetFileAttributesA 181->184 188 403c87-403c89 184->188 189 403c8b-403c8c call 405d61 184->189 185->179 195 403e00-403e08 call 40557b 186->195 196 403d7d-403d97 ShowWindow call 406726 186->196 188->180 188->189 189->180 201 403e22-403e24 call 40140b 195->201 202 403e0a-403e10 195->202 203 403da3-403db5 GetClassInfoA 196->203 204 403d99-403d9e call 406726 196->204 201->176 202->185 209 403e16-403e1d call 40140b 202->209 207 403db7-403dc7 GetClassInfoA RegisterClassA 203->207 208 403dcd-403dfe DialogBoxParamA call 40140b call 403abe 203->208 204->203 207->208 208->179 209->185
                                                    APIs
                                                      • Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                      • Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                    • lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403BE9
                                                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,?,?,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00000000,C:\Users\user\AppData\Roaming\Pinball,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410), ref: 00403C5E
                                                    • lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
                                                    • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403C7C
                                                    • LoadImageA.USER32 ref: 00403CC5
                                                      • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                    • RegisterClassA.USER32(00423EE0), ref: 00403D02
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
                                                    • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
                                                    • ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403D85
                                                    • GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
                                                    • GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
                                                    • RegisterClassA.USER32(00423EE0), ref: 00403DC7
                                                    • DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                    • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball\Pinball.exe$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
                                                    • API String ID: 1975747703-2706893456
                                                    • Opcode ID: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
                                                    • Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
                                                    • Opcode Fuzzy Hash: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
                                                    • Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D
                                                    Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 216 402f5c-402faa GetTickCount GetModuleFileNameA call 405f1b 219 402fb6-402fe4 call 406388 call 405d61 call 406388 GetFileSize 216->219 220 402fac-402fb1 216->220 228 402fea 219->228 229 4030cf-4030dd call 402ebd 219->229 221 4031f6-4031fa 220->221 231 402fef-403006 228->231 235 4030e3-4030e6 229->235 236 4031ae-4031b3 229->236 233 403008 231->233 234 40300a-403013 call 40346e 231->234 233->234 243 403019-403020 234->243 244 40316a-403172 call 402ebd 234->244 238 403112-40315e GlobalAlloc call 4068b9 call 405f4a CreateFileA 235->238 239 4030e8-403100 call 403484 call 40346e 235->239 236->221 265 403160-403165 238->265 266 403174-4031a4 call 403484 call 4031fd 238->266 239->236 267 403106-40310c 239->267 248 403022-403036 call 405ed6 243->248 249 40309c-4030a0 243->249 244->236 255 4030aa-4030b0 248->255 263 403038-40303f 248->263 254 4030a2-4030a9 call 402ebd 249->254 249->255 254->255 256 4030b2-4030bc call 40684b 255->256 257 4030bf-4030c7 255->257 256->257 257->231 264 4030cd 257->264 263->255 270 403041-403048 263->270 264->229 265->221 277 4031a9-4031ac 266->277 267->236 267->238 270->255 272 40304a-403051 270->272 272->255 274 403053-40305a 272->274 274->255 276 40305c-40307c 274->276 276->236 278 403082-403086 276->278 277->236 279 4031b5-4031c6 277->279 280 403088-40308c 278->280 281 40308e-403096 278->281 282 4031c8 279->282 283 4031ce-4031d3 279->283 280->264 280->281 281->255 285 403098-40309a 281->285 282->283 284 4031d4-4031da 283->284 284->284 286 4031dc-4031f4 call 405ed6 284->286 285->255 286->221
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00402F70
                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 00402F8C
                                                      • Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
                                                      • Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                    • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00402FD5
                                                    • GlobalAlloc.KERNELBASE(00000040,00000009), ref: 00403117
                                                    Strings
                                                    • Inst, xrefs: 00403041
                                                    • C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
                                                    • soft, xrefs: 0040304A
                                                    • Error launching installer, xrefs: 00402FAC
                                                    • "C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00402F65
                                                    • Null, xrefs: 00403053
                                                    • C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
                                                    • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                    • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                    • API String ID: 2803837635-1586733961
                                                    • Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                    • Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
                                                    • Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                    • Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C
                                                    Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 289 40641b-406426 290 406428-406437 289->290 291 406439-40644f 289->291 290->291 292 406643-406647 291->292 293 406455-406460 291->293 294 406472-40647c 292->294 295 40664d-406657 292->295 293->292 296 406466-40646d 293->296 294->295 299 406482-406489 294->299 297 406662-406663 295->297 298 406659-40665d call 406388 295->298 296->292 298->297 301 406636 299->301 302 40648f-4064c3 299->302 303 406640-406642 301->303 304 406638-40663e 301->304 305 4065e3-4065e6 302->305 306 4064c9-4064d3 302->306 303->292 304->292 307 406616-406619 305->307 308 4065e8-4065eb 305->308 309 4064f0 306->309 310 4064d5-4064de 306->310 314 406627-406634 lstrlenA 307->314 315 40661b-406622 call 40641b 307->315 311 4065fb-406607 call 406388 308->311 312 4065ed-4065f9 call 4062e6 308->312 313 4064f7-4064fe 309->313 310->309 316 4064e0-4064e3 310->316 327 40660c-406612 311->327 312->327 319 406500-406502 313->319 320 406503-406505 313->320 314->292 315->314 316->309 317 4064e5-4064e8 316->317 317->309 323 4064ea-4064ee 317->323 319->320 325 406507-40652a call 40626f 320->325 326 40653e-406541 320->326 323->313 337 406530-406539 call 40641b 325->337 338 4065ca-4065ce 325->338 330 406551-406554 326->330 331 406543-40654f GetSystemDirectoryA 326->331 327->314 329 406614 327->329 333 4065db-4065e1 call 406666 329->333 335 4065c1-4065c3 330->335 336 406556-406564 GetWindowsDirectoryA 330->336 334 4065c5-4065c8 331->334 333->314 334->333 334->338 335->334 339 406566-406570 335->339 336->335 337->334 338->333 344 4065d0-4065d6 lstrcatA 338->344 341 406572-406575 339->341 342 40658a-4065a0 SHGetSpecialFolderLocation 339->342 341->342 346 406577-40657e 341->346 347 4065a2-4065bc SHGetPathFromIDListA CoTaskMemFree 342->347 348 4065be 342->348 344->333 350 406586-406588 346->350 347->334 347->348 348->335 350->334 350->342
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00000400), ref: 00406549
                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
                                                    • SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
                                                    • SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe), ref: 004065A6
                                                    • CoTaskMemFree.OLE32(00000000), ref: 004065B2
                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
                                                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                    • String ID: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                    • API String ID: 717251189-3468578744
                                                    • Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                    • Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
                                                    • Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                    • Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E
                                                    Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball,00000000,00000000,00000031), ref: 00401798
                                                    • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00000000,00000000,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball,00000000,00000000,00000031), ref: 004017C2
                                                      • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                      • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                      • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                      • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                      • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                      • Part of subcall function 004054A9: SendMessageA.USER32 ref: 0040553D
                                                      • Part of subcall function 004054A9: SendMessageA.USER32 ref: 00405557
                                                      • Part of subcall function 004054A9: SendMessageA.USER32 ref: 00405565
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                    • String ID: C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball\Pinball.exe$C:\Users\user\AppData\Roaming\Pinball\Uninstall.exe
                                                    • API String ID: 1941528284-873260721
                                                    • Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                    • Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
                                                    • Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                    • Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE
                                                    Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 487 40596f-4059ba CreateDirectoryA 488 4059c0-4059cd GetLastError 487->488 489 4059bc-4059be 487->489 490 4059e7-4059e9 488->490 491 4059cf-4059e3 SetFileSecurityA 488->491 489->490 491->489 492 4059e5 GetLastError 491->492 492->490
                                                    APIs
                                                    • CreateDirectoryA.KERNELBASE(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                    • GetLastError.KERNEL32 ref: 004059C6
                                                    • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
                                                    • GetLastError.KERNEL32 ref: 004059E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                    • String ID: !9@$C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 3449924974-3700438604
                                                    • Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                    • Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
                                                    • Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                    • Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99
                                                    Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 493 406726-406746 GetSystemDirectoryA 494 406748 493->494 495 40674a-40674c 493->495 494->495 496 40675c-40675e 495->496 497 40674e-406756 495->497 499 40675f-406791 wsprintfA LoadLibraryExA 496->499 497->496 498 406758-40675a 497->498 498->499
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                    • wsprintfA.USER32 ref: 00406776
                                                    • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                    • String ID: %s%s.dll$UXTHEME$\
                                                    • API String ID: 2200240437-4240819195
                                                    • Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                    • Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
                                                    • Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                    • Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69
                                                    Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
                                                    • GlobalFree.KERNEL32 ref: 004028A4
                                                    • GlobalFree.KERNEL32 ref: 004028B7
                                                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
                                                    • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Global$AllocFree$ChangeCloseDeleteFileFindNotification
                                                    • String ID:
                                                    • API String ID: 2989416154-0
                                                    • Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                    • Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
                                                    • Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                    • Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68
                                                    Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 536 405f4a-405f54 537 405f55-405f80 GetTickCount GetTempFileNameA 536->537 538 405f82-405f84 537->538 539 405f8f-405f91 537->539 538->537 540 405f86 538->540 541 405f89-405f8c 539->541 540->541
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00405F5E
                                                    • GetTempFileNameA.KERNELBASE(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CountFileNameTempTick
                                                    • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                    • API String ID: 1716503409-44229769
                                                    • Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                    • Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
                                                    • Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                    • Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798
                                                    Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 542 4020a5-4020b1 543 4020b7-4020cd call 402c39 * 2 542->543 544 40216c-40216e 542->544 553 4020dc-4020ea LoadLibraryExA 543->553 554 4020cf-4020da GetModuleHandleA 543->554 546 4022e5-4022ea call 401423 544->546 552 402ac5-402ad4 546->552 556 4020ec-4020f9 GetProcAddress 553->556 557 402165-402167 553->557 554->553 554->556 559 402138-40213d call 4054a9 556->559 560 4020fb-402101 556->560 557->546 564 402142-402145 559->564 562 402103-40210f call 401423 560->562 563 40211a-40212e 560->563 562->564 573 402111-402118 562->573 566 402133-402136 563->566 564->552 567 40214b-402153 call 403b0e 564->567 566->564 567->552 572 402159-402160 FreeLibrary 567->572 572->552 573->564
                                                    APIs
                                                    • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020D0
                                                      • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                      • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                      • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                      • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                      • Part of subcall function 004054A9: SendMessageA.USER32 ref: 0040553D
                                                      • Part of subcall function 004054A9: SendMessageA.USER32 ref: 00405557
                                                      • Part of subcall function 004054A9: SendMessageA.USER32 ref: 00405565
                                                    • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020E0
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
                                                    • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                    • String ID:
                                                    • API String ID: 2987980305-0
                                                    • Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                    • Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
                                                    • Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                    • Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E
                                                    Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 574 403a7c-403a8b 575 403a97-403a9f 574->575 576 403a8d-403a90 CloseHandle 574->576 577 403aa1-403aa4 CloseHandle 575->577 578 403aab-403ab7 call 403ad9 call 405b4a 575->578 576->575 577->578 582 403abc-403abd 578->582
                                                    APIs
                                                    • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
                                                    • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\nsuEC72.tmp\, xrefs: 00403AB2
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CloseHandle
                                                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsuEC72.tmp\
                                                    • API String ID: 2962429428-293109357
                                                    • Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                    • Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
                                                    • Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                    • Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9
                                                    Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 667 4015bb-4015ce call 402c39 call 405db3 672 4015d0-4015e3 call 405d45 667->672 673 401624-401627 667->673 681 4015e5-4015e8 672->681 682 4015fb-4015fc call 4059ec 672->682 675 401652-4022ea call 401423 673->675 676 401629-401644 call 401423 call 406388 SetCurrentDirectoryA 673->676 689 402ac5-402ad4 675->689 676->689 696 40164a-40164d 676->696 681->682 686 4015ea-4015f1 call 405a09 681->686 688 401601-401603 682->688 686->682 699 4015f3-4015f4 call 40596f 686->699 692 401605-40160a 688->692 693 40161a-401622 688->693 697 401617 692->697 698 40160c-401615 GetFileAttributesA 692->698 693->672 693->673 696->689 697->693 698->693 698->697 702 4015f9 699->702 702->688
                                                    APIs
                                                      • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
                                                      • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                      • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                    • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                      • Part of subcall function 0040596F: CreateDirectoryA.KERNELBASE(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                    • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Pinball,00000000,00000000,000000F0), ref: 0040163C
                                                    Strings
                                                    • C:\Users\user\AppData\Roaming\Pinball, xrefs: 00401631
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                    • String ID: C:\Users\user\AppData\Roaming\Pinball
                                                    • API String ID: 1892508949-1859035047
                                                    • Opcode ID: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
                                                    • Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
                                                    • Opcode Fuzzy Hash: 686546c29d77d16800122f5f58dad040e92f1cd5cb46c8d43cba2cc5979698c7
                                                    • Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E
                                                    Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 703 405e08-405e23 call 406388 call 405db3 708 405e25-405e27 703->708 709 405e29-405e36 call 406666 703->709 710 405e7b-405e7d 708->710 713 405e42-405e44 709->713 714 405e38-405e3c 709->714 715 405e5a-405e63 lstrlenA 713->715 714->708 716 405e3e-405e40 714->716 717 405e65-405e79 call 405d1a GetFileAttributesA 715->717 718 405e46-405e4d call 4066ff 715->718 716->708 716->713 717->710 723 405e54-405e55 call 405d61 718->723 724 405e4f-405e52 718->724 723->715 724->708 724->723
                                                    APIs
                                                      • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                      • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
                                                      • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                      • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                    • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405E5B
                                                    • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 00405E6B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                    • String ID: C:\
                                                    • API String ID: 3248276644-3404278061
                                                    • Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                    • Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
                                                    • Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                    • Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE
                                                    Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                    • Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
                                                    • Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                    • Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                    Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                    • Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
                                                    • Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                    • Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                    Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                    • Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
                                                    • Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                    • Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45
                                                    Function 004068D9 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                    • Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
                                                    • Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                    • Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45
                                                    Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                    • Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
                                                    • Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                    • Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45
                                                    Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                    • Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
                                                    • Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                    • Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45
                                                    Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                    • Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
                                                    • Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                    • Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45
                                                    Function 00403305 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTickCount.KERNEL32 ref: 00403319
                                                      • Part of subcall function 00403484: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                    • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
                                                    • SetFilePointer.KERNELBASE(155C335A,00000000,00000000,004138F8,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: FilePointer$CountTick
                                                    • String ID:
                                                    • API String ID: 1092082344-0
                                                    • Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                    • Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
                                                    • Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                    • Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD
                                                    Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
                                                    • RegSetValueExA.KERNELBASE(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
                                                    • RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CloseValuelstrlen
                                                    • String ID:
                                                    • API String ID: 2655323295-0
                                                    • Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                    • Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
                                                    • Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                    • Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68
                                                    Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
                                                    • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
                                                    • RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Enum$CloseValue
                                                    • String ID:
                                                    • API String ID: 397863658-0
                                                    • Opcode ID: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
                                                    • Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
                                                    • Opcode Fuzzy Hash: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
                                                    • Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679
                                                    Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00405EF6: GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                      • Part of subcall function 00405EF6: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F
                                                    • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B1D
                                                    • DeleteFileA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B25
                                                    • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: File$Attributes$DeleteDirectoryRemove
                                                    • String ID:
                                                    • API String ID: 1655745494-0
                                                    • Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                    • Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
                                                    • Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                    • Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD
                                                    Function 004031FD Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointer.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                    • Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
                                                    • Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                    • Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9
                                                    Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040254E
                                                    • RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CloseQueryValue
                                                    • String ID:
                                                    • API String ID: 3356406503-0
                                                    • Opcode ID: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
                                                    • Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
                                                    • Opcode Fuzzy Hash: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
                                                    • Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D
                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MulDiv.KERNEL32(00007530,00000000,00000000,?,80040002,00401420,?,00000000,00403A66), ref: 004013E4
                                                    • SendMessageA.USER32 ref: 004013F4
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                    • Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
                                                    • Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                    • Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D
                                                    Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateHandleProcess
                                                    • String ID:
                                                    • API String ID: 3712363035-0
                                                    • Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                    • Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
                                                    • Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                    • Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78
                                                    Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                      • Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                      • Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
                                                      • Part of subcall function 00406726: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                    • String ID:
                                                    • API String ID: 2547128583-0
                                                    • Opcode ID: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
                                                    • Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
                                                    • Opcode Fuzzy Hash: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
                                                    • Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D
                                                    Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesCreate
                                                    • String ID:
                                                    • API String ID: 415043291-0
                                                    • Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                    • Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
                                                    • Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                    • Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19
                                                    Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                    • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                    • Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
                                                    • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                    • Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C
                                                    Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateDirectoryA.KERNELBASE(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
                                                    • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectoryErrorLast
                                                    • String ID:
                                                    • API String ID: 1375471231-0
                                                    • Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                    • Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
                                                    • Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                    • Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D
                                                    Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                    • Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
                                                    • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                    • Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734
                                                    Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0040DA16,0040B8F8,00403405,0040B8F8,0040DA16,004138F8,00004000,?,00000000,0040322F,00000004), ref: 00405FD6
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: FileWrite
                                                    • String ID:
                                                    • API String ID: 3934441357-0
                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                    • Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                    • Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4
                                                    Function 00405F93 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,004138F8,0040B8F8,00403481,00000009,00000009,00403385,004138F8,00004000,?,00000000,0040322F), ref: 00405FA7
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                    • Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
                                                    • Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                    • Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8
                                                    Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: FilePointer
                                                    • String ID:
                                                    • API String ID: 973152223-0
                                                    • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                    • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                    • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                    • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                    Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                      • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                      • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                      • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                      • Part of subcall function 004054A9: SendMessageA.USER32 ref: 0040553D
                                                      • Part of subcall function 004054A9: SendMessageA.USER32 ref: 00405557
                                                      • Part of subcall function 004054A9: SendMessageA.USER32 ref: 00405565
                                                      • Part of subcall function 00405A21: CreateProcessA.KERNELBASE ref: 00405A4A
                                                      • Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                      • Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                                                      • Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                                                      • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                    • String ID:
                                                    • API String ID: 2972824698-0
                                                    • Opcode ID: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
                                                    • Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
                                                    • Opcode Fuzzy Hash: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
                                                    • Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

                                                    Non-executed Functions

                                                    Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                    • String ID: PB
                                                    • API String ID: 590372296-3196168531
                                                    • Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                    • Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
                                                    • Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                    • Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58
                                                    Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                    • String ID: $M$N
                                                    • API String ID: 2564846305-813528018
                                                    • Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                    • Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
                                                    • Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                    • Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58
                                                    Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
                                                    • ShowWindow.USER32(?), ref: 00403F67
                                                    • GetWindowLongA.USER32 ref: 00403F79
                                                    • ShowWindow.USER32(?,00000004), ref: 00403F92
                                                    • DestroyWindow.USER32 ref: 00403FA6
                                                    • SetWindowLongA.USER32 ref: 00403FBF
                                                    • GetDlgItem.USER32 ref: 00403FDE
                                                    • SendMessageA.USER32 ref: 00403FF2
                                                    • IsWindowEnabled.USER32(00000000), ref: 00403FF9
                                                    • GetDlgItem.USER32 ref: 004040A4
                                                    • GetDlgItem.USER32 ref: 004040AE
                                                    • SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
                                                    • SendMessageA.USER32 ref: 00404119
                                                    • GetDlgItem.USER32 ref: 004041BF
                                                    • ShowWindow.USER32(00000000,?), ref: 004041E0
                                                    • EnableWindow.USER32(?,?), ref: 004041F2
                                                    • EnableWindow.USER32(?,?), ref: 0040420D
                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
                                                    • EnableMenuItem.USER32 ref: 0040422A
                                                    • SendMessageA.USER32 ref: 00404242
                                                    • SendMessageA.USER32 ref: 00404255
                                                    • lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
                                                    • SetWindowTextA.USER32(?,00420D50), ref: 0040428E
                                                    • ShowWindow.USER32(?,0000000A), ref: 004043C2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                    • String ID: PB
                                                    • API String ID: 1860320154-3196168531
                                                    • Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                    • Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
                                                    • Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                    • Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D
                                                    Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                    • String ID: N$6B
                                                    • API String ID: 3103080414-649610290
                                                    • Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                    • Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
                                                    • Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                    • Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98
                                                    Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                                                    • GetShortPathNameA.KERNEL32 ref: 0040602B
                                                      • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                      • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                    • GetShortPathNameA.KERNEL32 ref: 00406048
                                                    • wsprintfA.USER32 ref: 00406066
                                                    • GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 004060A1
                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                                                    • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                                                    • GlobalFree.KERNEL32 ref: 0040614F
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156
                                                      • Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
                                                      • Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                    • String ID: %s=%s$[Rename]$*B$.B$.B
                                                    • API String ID: 2171350718-3836630945
                                                    • Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                    • Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
                                                    • Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                    • Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD
                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                    • FillRect.USER32 ref: 004010E4
                                                    • DeleteObject.GDI32 ref: 004010ED
                                                    • CreateFontIndirectA.GDI32 ref: 00401105
                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                    • DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                    • DeleteObject.GDI32 ref: 00401165
                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                    • String ID: F
                                                    • API String ID: 941294808-1304234792
                                                    • Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                    • Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
                                                    • Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                    • Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4
                                                    Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32 ref: 004048E6
                                                    • SetWindowTextA.USER32(00000000,?), ref: 00404910
                                                    • SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
                                                    • CoTaskMemFree.OLE32(00000000), ref: 004049CC
                                                    • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00420D50), ref: 004049FE
                                                    • lstrcatA.KERNEL32(?,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe), ref: 00404A0A
                                                    • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C
                                                      • Part of subcall function 00405A82: GetDlgItemTextA.USER32 ref: 00405A95
                                                      • Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                      • Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                      • Part of subcall function 00406666: CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                      • Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                    • GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5
                                                      • Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                      • Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
                                                      • Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                    • String ID: A$C:\Users\user\AppData\Roaming\Pinball$C:\Users\user\AppData\Roaming\Pinball\Pinball.exe$PB
                                                    • API String ID: 2624150263-1331625586
                                                    • Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                    • Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
                                                    • Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                    • Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D
                                                    Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                    • lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                    • lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                    • SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                    • SendMessageA.USER32 ref: 0040553D
                                                    • SendMessageA.USER32 ref: 00405557
                                                    • SendMessageA.USER32 ref: 00405565
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                    • String ID: 4/@
                                                    • API String ID: 2531174081-3101945251
                                                    • Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                    • Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
                                                    • Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                    • Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8
                                                    Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                    • CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                    • CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                    • CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                    Strings
                                                    • "C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00406666
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
                                                    • *?|<>/":, xrefs: 004066AE
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Char$Next$Prev
                                                    • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 589700163-3087229427
                                                    • Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                    • Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
                                                    • Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                    • Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D
                                                    Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(00000000,00000000), ref: 00402ED5
                                                    • GetTickCount.KERNEL32 ref: 00402EF3
                                                    • wsprintfA.USER32 ref: 00402F21
                                                      • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                      • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                      • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                      • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                      • Part of subcall function 004054A9: SendMessageA.USER32 ref: 0040553D
                                                      • Part of subcall function 004054A9: SendMessageA.USER32 ref: 00405557
                                                      • Part of subcall function 004054A9: SendMessageA.USER32 ref: 00405565
                                                    • CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
                                                    • ShowWindow.USER32(00000000,00000005), ref: 00402F53
                                                      • Part of subcall function 00402EA1: MulDiv.KERNEL32(00000000,00000064,000015DE,00402F17), ref: 00402EB6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                    • String ID: ... %d%%$#Vh%.@
                                                    • API String ID: 722711167-1706192003
                                                    • Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                    • Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
                                                    • Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                    • Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE
                                                    Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                    • String ID:
                                                    • API String ID: 2320649405-0
                                                    • Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                    • Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
                                                    • Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                    • Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54
                                                    Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Message$Send$ClientScreen
                                                    • String ID: f
                                                    • API String ID: 41195575-1993550816
                                                    • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                    • Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
                                                    • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                    • Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4
                                                    Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                    • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                    • API String ID: 1451636040-1158693248
                                                    • Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                    • Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
                                                    • Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                    • Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99
                                                    Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                    • wsprintfA.USER32 ref: 00404CF4
                                                    • SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: ItemTextlstrlenwsprintf
                                                    • String ID: %u.%u%s%s$PB
                                                    • API String ID: 3540041739-838025833
                                                    • Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                    • Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
                                                    • Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                    • Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8
                                                    Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
                                                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CloseEnum$DeleteValue
                                                    • String ID:
                                                    • API String ID: 1354259210-0
                                                    • Opcode ID: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
                                                    • Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
                                                    • Opcode Fuzzy Hash: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
                                                    • Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8
                                                    Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                    • String ID:
                                                    • API String ID: 1849352358-0
                                                    • Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                    • Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
                                                    • Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                    • Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14
                                                    Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                    • String ID:
                                                    • API String ID: 3808545654-0
                                                    • Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                    • Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
                                                    • Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                    • Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C
                                                    Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                    • SendMessageA.USER32 ref: 00401CB6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Timeout
                                                    • String ID: !
                                                    • API String ID: 1777923405-2657877971
                                                    • Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                    • Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
                                                    • Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                    • Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18
                                                    Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
                                                    • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
                                                    • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CharPrevlstrcatlstrlen
                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                    • API String ID: 2659869361-823278215
                                                    • Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                    • Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
                                                    • Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                    • Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD
                                                    Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
                                                    • CharNextA.USER32(00000000), ref: 00405DC6
                                                    • CharNextA.USER32(00000000), ref: 00405DDA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CharNext
                                                    • String ID: C:\
                                                    • API String ID: 3213498283-3404278061
                                                    • Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                    • Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
                                                    • Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                    • Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA
                                                    Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                                                    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA
                                                    Strings
                                                    • C:\Users\user\AppData\Roaming\Pinball, xrefs: 00402238
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: ByteCharCreateInstanceMultiWide
                                                    • String ID: C:\Users\user\AppData\Roaming\Pinball
                                                    • API String ID: 123533781-1859035047
                                                    • Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                    • Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
                                                    • Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                    • Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54
                                                    Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 0040544C
                                                    • CallWindowProcA.USER32 ref: 0040549D
                                                      • Part of subcall function 00404451: SendMessageA.USER32 ref: 00404463
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: Window$CallMessageProcSendVisible
                                                    • String ID:
                                                    • API String ID: 3748168415-3916222277
                                                    • Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                    • Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
                                                    • Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                    • Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A
                                                    Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,00420530,?,?,?,00000002,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,00406527,80000002), ref: 004062B5
                                                    • RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,C:\Users\user\AppData\Roaming\Pinball\Pinball.exe,?,00420530), ref: 004062C0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CloseQueryValue
                                                    • String ID: C:\Users\user\AppData\Roaming\Pinball\Pinball.exe
                                                    • API String ID: 3356406503-2133542782
                                                    • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                    • Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
                                                    • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                    • Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8
                                                    Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D67
                                                    • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D75
                                                    Strings
                                                    • C:\Users\user\AppData\Local\Temp, xrefs: 00405D61
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: CharPrevlstrlen
                                                    • String ID: C:\Users\user\AppData\Local\Temp
                                                    • API String ID: 2709904686-1943935188
                                                    • Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                    • Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
                                                    • Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                    • Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD
                                                    Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
                                                    • CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
                                                    • lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.3299084764.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000004.00000002.3299044640.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299122777.0000000000408000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000040A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.0000000000422000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299149538.000000000042A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                    • Associated: 00000004.00000002.3299240798.000000000042E000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_400000_setup.jbxd
                                                    Similarity
                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                    • String ID:
                                                    • API String ID: 190613189-0
                                                    • Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                    • Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
                                                    • Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                    • Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

                                                    Executed Functions

                                                    Function 01434F58 Relevance: 11.9, Strings: 9, Instructions: 623COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq$(aq$(aq$(aq$(aq$(aq$(aq
                                                    • API String ID: 0-416939441
                                                    • Opcode ID: d88fe6d8a51f89c50ed9be6a1ce7516ff8b2f84ee86afddd86d2126b6b48aacf
                                                    • Instruction ID: cd58fb2592e6363166acbf544790e8b211b991e6179c7e43ba8e34af99fc5e66
                                                    • Opcode Fuzzy Hash: d88fe6d8a51f89c50ed9be6a1ce7516ff8b2f84ee86afddd86d2126b6b48aacf
                                                    • Instruction Fuzzy Hash: 11329E30B042158FDB19EF69D4546AEBBF2BFC9310F25806AD505EB3A5DB349C42CB91
                                                    Function 01431049 Relevance: .8, Instructions: 843COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7fc20ef044f97570f3b6d71d9265b2cf6776975c37066287cb9a241cb420292d
                                                    • Instruction ID: ed93400ee5a311b12228681266cb82b04a2334664a67eabd01aa51a1dd966098
                                                    • Opcode Fuzzy Hash: 7fc20ef044f97570f3b6d71d9265b2cf6776975c37066287cb9a241cb420292d
                                                    • Instruction Fuzzy Hash: D082A8B4640309DFDB06DFA5E654B6A7B7EEF88300F204468A801337A9CA3D6D55DF26
                                                    Function 0143C060 Relevance: 8.9, Strings: 7, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: +Vgq^$;Vgq^$KVgq^$[Vgq^$kVgq^${Vgq^$Ugq^
                                                    • API String ID: 0-3995101117
                                                    • Opcode ID: 03f18a1b3d2a08a48545e12e92904a86265d2d8c8e7ab4140baab01d67189ad3
                                                    • Instruction ID: 53ed39f6096970c0dde41feb18f8c0f032c39b49733475e85a24e2448f010216
                                                    • Opcode Fuzzy Hash: 03f18a1b3d2a08a48545e12e92904a86265d2d8c8e7ab4140baab01d67189ad3
                                                    • Instruction Fuzzy Hash: DC71FA715407059BC359DF24DA505ABBBB6FF84204354CA6E818A8BA64EF76F90ACFC0
                                                    Function 0143C070 Relevance: 8.9, Strings: 7, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: +Vgq^$;Vgq^$KVgq^$[Vgq^$kVgq^${Vgq^$Ugq^
                                                    • API String ID: 0-3995101117
                                                    • Opcode ID: e42e64253592547ba7ea75f3297632b128b06a45de0c53fc64b8cf5db3c7b34c
                                                    • Instruction ID: a50dfc240ebe338555a2428b10eb30da60358727bdaff57ae55947d185d364de
                                                    • Opcode Fuzzy Hash: e42e64253592547ba7ea75f3297632b128b06a45de0c53fc64b8cf5db3c7b34c
                                                    • Instruction Fuzzy Hash: F5711A715407059BC359DF24D6509ABBBF6FF84204350CA6E818A8BA64EF76F90ACFC0
                                                    Function 01433750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq
                                                    • API String ID: 0-2593664646
                                                    • Opcode ID: 359511dadb067381c371bb8d106a2ad1fa74a146a86481aac813a8e006c527dd
                                                    • Instruction ID: c6d864e006b1918b047710a2af123c8ec88e8eeb7ffdad89f9b1f68b269c247c
                                                    • Opcode Fuzzy Hash: 359511dadb067381c371bb8d106a2ad1fa74a146a86481aac813a8e006c527dd
                                                    • Instruction Fuzzy Hash: B5216D317082514FD32AAB3D541407F7EF7EBC622176981BAE906C73D6DE288C078396
                                                    Function 01433BE0 Relevance: 3.0, Strings: 2, Instructions: 467COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq
                                                    • API String ID: 0-3916115647
                                                    • Opcode ID: 8041f3b9697b2ef9d24f034b741dc7a3770b871e267ac13d14f07d649d11c105
                                                    • Instruction ID: 2bd1c94f83643e67c76d7c71a5283203c6e76a68b991586b880e05e088d0e55f
                                                    • Opcode Fuzzy Hash: 8041f3b9697b2ef9d24f034b741dc7a3770b871e267ac13d14f07d649d11c105
                                                    • Instruction Fuzzy Hash: 3CF14F707002059FDB05EF79D8546AEBBABEFC8310F148469E906EB3A5DE389C06CB55
                                                    Function 0143B0B0 Relevance: 1.9, Strings: 1, Instructions: 680COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: egq^
                                                    • API String ID: 0-4076447643
                                                    • Opcode ID: f5f20bd651d689790e3104511d28e574ef5fc3163addea129336d868dc5a47e1
                                                    • Instruction ID: 992154c97c8af650b478395d157271172d2226d072e0fe8786e8d0112b99ddcc
                                                    • Opcode Fuzzy Hash: f5f20bd651d689790e3104511d28e574ef5fc3163addea129336d868dc5a47e1
                                                    • Instruction Fuzzy Hash: DA524930A01200CFD719EF28E458A6E7BB6FF88305B65857AD806AB365DB39DC46CF41
                                                    Function 0143385C Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq
                                                    • API String ID: 0-600464949
                                                    • Opcode ID: 5f4a92a6df21437e4abdb400e6ce456dd96cf7dccb452e222f6378ad3e7e660f
                                                    • Instruction ID: d731a732136b9be37f80673f6d4dd96880f95c2f481cc564739d8c9cc9ac6bf8
                                                    • Opcode Fuzzy Hash: 5f4a92a6df21437e4abdb400e6ce456dd96cf7dccb452e222f6378ad3e7e660f
                                                    • Instruction Fuzzy Hash: 03C14174B00215DFDB05DFA9E954AAEBBBAFFCC310F104069E905A7365DA389C06CB91
                                                    Function 014335E1 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq
                                                    • API String ID: 0-600464949
                                                    • Opcode ID: 4e5cb6c7aff81daee1eb5b9bae9df33bdf9e08c33f7e5aaddc95cef2e3f1765a
                                                    • Instruction ID: bf97a3fdf2e841c6b84dafcac4af2ef2d760d49d99bd78e56943e1af6af079d7
                                                    • Opcode Fuzzy Hash: 4e5cb6c7aff81daee1eb5b9bae9df33bdf9e08c33f7e5aaddc95cef2e3f1765a
                                                    • Instruction Fuzzy Hash: 2D4106313082011FD71AAB39985047F7BABFFC926072888B9D506CB3A5DE34DC0B8392
                                                    Function 0143C798 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: s@gq^
                                                    • API String ID: 0-2645752965
                                                    • Opcode ID: f01e4018f227af5c401872a9dd5ec0a278b7c300c739dd05e14c9443aa790cb7
                                                    • Instruction ID: 42e7b6cde60f85c9a8a807ff298ba9012e97c2b88c34a94c3ca0db748403beba
                                                    • Opcode Fuzzy Hash: f01e4018f227af5c401872a9dd5ec0a278b7c300c739dd05e14c9443aa790cb7
                                                    • Instruction Fuzzy Hash: EE51F9316407019BC359DF24D9909ABBBE6FF85214354CA6EC14A9B664EF36F90ACFC0
                                                    Function 0143BEAF Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q
                                                    • API String ID: 0-52440209
                                                    • Opcode ID: 44fb11984d93b77139f9669d7ba9cb72eb43390bf7bcdce609ec5f5c2ffe05b4
                                                    • Instruction ID: 52e1e3a3149ca92e8935be058d0b59032999612d2a65f13619eb1a77b0fdfe9b
                                                    • Opcode Fuzzy Hash: 44fb11984d93b77139f9669d7ba9cb72eb43390bf7bcdce609ec5f5c2ffe05b4
                                                    • Instruction Fuzzy Hash: F8418D747105018FC744DF6DC898E6EBBE6FF88710B6584A9E40ADB3B1CA70EC058B91
                                                    Function 01432B10 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: d89e63927ddd6c544bf2a9f817c7de707b4961eb5f5c2e33196560831ae842ff
                                                    • Instruction ID: 774382feeaf737087ece41d3303e2a8c2ba6d3b39d553d3144adec8f34104bee
                                                    • Opcode Fuzzy Hash: d89e63927ddd6c544bf2a9f817c7de707b4961eb5f5c2e33196560831ae842ff
                                                    • Instruction Fuzzy Hash: D1312C707103058FD70AAF39C45492E37B6EBC9A0972181B9D10ACB3A5DE39DC43CB96
                                                    Function 0143BEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q
                                                    • API String ID: 0-52440209
                                                    • Opcode ID: b74617d981ff1ccac0323f5b74ea4daa0e12080bdb88e571ca7d8a900deb869b
                                                    • Instruction ID: e8c48f602060aa2190b0c3cd8f6fc1db37d50b885f305c45d541bd4336a0f412
                                                    • Opcode Fuzzy Hash: b74617d981ff1ccac0323f5b74ea4daa0e12080bdb88e571ca7d8a900deb869b
                                                    • Instruction Fuzzy Hash: BF417C347105058FC744DF6EC898E6EBBE6FF88710B6584A9E50ADB3B1CA71EC058B91
                                                    Function 0143C352 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Ugq^
                                                    • API String ID: 0-47341370
                                                    • Opcode ID: 7f6d58a87b0df3d2eac27395c7efa7b4ebf4e4d85dd6e575cd64b0dd2ce0d662
                                                    • Instruction ID: d470cc37cc79d9e5ee95bedefc938f1f42dcc874ce8a0e5f03979b1d359b59dd
                                                    • Opcode Fuzzy Hash: 7f6d58a87b0df3d2eac27395c7efa7b4ebf4e4d85dd6e575cd64b0dd2ce0d662
                                                    • Instruction Fuzzy Hash: 413109725093454FC316DF38E5A06AABFA1FF9620434489AFC0898F765EA35E806CBC1
                                                    Function 01434237 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq
                                                    • API String ID: 0-600464949
                                                    • Opcode ID: fba987ed234b760d2a03c690fe3922d1caab3487b2044129a97e41af0caafb74
                                                    • Instruction ID: 2ea2790a9c668c2a8e3a7fe6d9d63b4d3aa5537bb222356173bd0fe25c7a38c3
                                                    • Opcode Fuzzy Hash: fba987ed234b760d2a03c690fe3922d1caab3487b2044129a97e41af0caafb74
                                                    • Instruction Fuzzy Hash: C52168317082401FC70AA779A8245FE7FA6EFC615175944AFD445DB356CE349C0A83A1
                                                    Function 01431058 Relevance: .8, Instructions: 835COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6eadaa0a9f107bdae15b1f09fb7d8575bba78e1463bdf78cab5ecccb3a1daf8
                                                    • Instruction ID: f9fa2147ef312816171649e4314cfbf523033ed3e1e767802efddbbffee396a5
                                                    • Opcode Fuzzy Hash: b6eadaa0a9f107bdae15b1f09fb7d8575bba78e1463bdf78cab5ecccb3a1daf8
                                                    • Instruction Fuzzy Hash: 0E82A7B4640309DFDB06DFA5E654B6A7B7EEF88300F204468A801337A9CA3D6D55DF26
                                                    Function 0143AF90 Relevance: .2, Instructions: 182COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 357c587db392d3db5e69b19fecf00a8ad01e0ea68c652b75da714c8e58836520
                                                    • Instruction ID: 74631e96ffbd10b9f39a7fb06201d275987452ac0d1efafe1f76e70aea2a8fbc
                                                    • Opcode Fuzzy Hash: 357c587db392d3db5e69b19fecf00a8ad01e0ea68c652b75da714c8e58836520
                                                    • Instruction Fuzzy Hash: DB51F7319093944FD702DB3CD9656DA7FB5EF82204F0944ABC055CB1B3DA78990DC795
                                                    Function 0143BB99 Relevance: .2, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9bd95b624fe9e7db065b319136d446f9853853e33621bb83cbd0b588edac7d8d
                                                    • Instruction ID: b6cea119667b518906077aad2385d5eabde22a6c719535d3abdf7795cb8e3a18
                                                    • Opcode Fuzzy Hash: 9bd95b624fe9e7db065b319136d446f9853853e33621bb83cbd0b588edac7d8d
                                                    • Instruction Fuzzy Hash: AF81D570602305CFC715EF18E589E1ABBBAFB88346B159669D9059B229CB7CEC49CF40
                                                    Function 01435A91 Relevance: .2, Instructions: 151COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8e0aaf527e8d941f960baf73d07591d76bdac4818c8d6b6f92f62ee11b0db902
                                                    • Instruction ID: 312438833d8d81e26e36d4c30a5fee5dcd87286cb00b0764f1cd6375c5b6fd96
                                                    • Opcode Fuzzy Hash: 8e0aaf527e8d941f960baf73d07591d76bdac4818c8d6b6f92f62ee11b0db902
                                                    • Instruction Fuzzy Hash: EF512B74B402068FCB08EF69D99896ABBF5EF8C214B1141A9E509DB371DB34DC05CB61
                                                    Function 01435240 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7c2f94eef7fe49f57dddfd1913e8d778d5fea18d28e3ff51e66d88d6f07c3b1f
                                                    • Instruction ID: 27c030d06f534f942e2a106f945b5c783287832d35f4e1a44f54a8bd875992f3
                                                    • Opcode Fuzzy Hash: 7c2f94eef7fe49f57dddfd1913e8d778d5fea18d28e3ff51e66d88d6f07c3b1f
                                                    • Instruction Fuzzy Hash: 4251FC70A01218DFDB14DFA9D454AAEBBB2FFC8311F14816AE805AB3A4DB749C41CF90
                                                    Function 01432850 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fedacbc271f5e5ead8710a3d22aef68b0c7428aa357c2b5e5712451dd3e62028
                                                    • Instruction ID: ffe2c1a497f64ce01d640720438e26ea8c92b1004ef6518ef1334c6385e16609
                                                    • Opcode Fuzzy Hash: fedacbc271f5e5ead8710a3d22aef68b0c7428aa357c2b5e5712451dd3e62028
                                                    • Instruction Fuzzy Hash: 1C41E874E50208DFDB14EFA9D9849AEBBB6FFC8310F20452AD901A7264EB799845CF50
                                                    Function 01432C48 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 25630250047c0c8ee7abe8f416b24f151ac2ce7925f8c59702d2403845c05dca
                                                    • Instruction ID: 77fd363523ce0bc355f24279ad24432430a418b39be55eb86ef5c25c321bcab4
                                                    • Opcode Fuzzy Hash: 25630250047c0c8ee7abe8f416b24f151ac2ce7925f8c59702d2403845c05dca
                                                    • Instruction Fuzzy Hash: 8F41087490030ACFDB05DFA8E9849AEBBB9FF88314F204165D505B7364D738AD45CB91
                                                    Function 01435308 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eabfb9eb617be6462bc108d0a19feeb375069dee120f2b29622d238786397169
                                                    • Instruction ID: 515cbbab30114c333a72ba7b52a6923cc7f148bdb80ad41291c9f133fa44fb83
                                                    • Opcode Fuzzy Hash: eabfb9eb617be6462bc108d0a19feeb375069dee120f2b29622d238786397169
                                                    • Instruction Fuzzy Hash: 2B41C074A01215DFCB04DF65E4949AEBBB6FFD8311F248066E905AB3A4DB389D42CF50
                                                    Function 01432844 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4e16d9e0ffbfbedae0bda126d3dec62fcd7d7152c3d03186ebf30313312331bf
                                                    • Instruction ID: cdb0f78374a177cad24c972097b3101038dde5b11bcebf57f130d0e0ba26cdb0
                                                    • Opcode Fuzzy Hash: 4e16d9e0ffbfbedae0bda126d3dec62fcd7d7152c3d03186ebf30313312331bf
                                                    • Instruction Fuzzy Hash: 98314F30E54208DFDB14EFA8D9849EDBBB6FFC8310F14453AD901A7264EB799845CB10
                                                    Function 01434B50 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 37adbf9036868f90ff99e59b3821e41df7dfd73232deaca2b5e70fe16403bae0
                                                    • Instruction ID: 228a3843c7adb6ce8d3fd6bec9d2e7bc41346be7c2dc5279ec607397ba14b010
                                                    • Opcode Fuzzy Hash: 37adbf9036868f90ff99e59b3821e41df7dfd73232deaca2b5e70fe16403bae0
                                                    • Instruction Fuzzy Hash: B121E6302443415FC71AEB38E850AAEBFAEFFC1210B448A79D0058B665DB78AD4DC795
                                                    Function 01436388 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f59c934dfb375cb6c912955094068d9ca8b41f50959f194e3e6a18b38940f159
                                                    • Instruction ID: 57f79425ed710000d718d10ea1a63b1c3121e1501da640b4f51b2e5bd29eb6a8
                                                    • Opcode Fuzzy Hash: f59c934dfb375cb6c912955094068d9ca8b41f50959f194e3e6a18b38940f159
                                                    • Instruction Fuzzy Hash: B821063084920AEA9B19EFA8994487D7FA8EFEE314B4348B7C608C317DC5794B49C712
                                                    Function 01432C58 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e79af47a96f9b5df69a22183b8825396bedb2a363832511fded4594812f7db63
                                                    • Instruction ID: b448e25303b4c1c4c9e1c060390bdfa250f3ff86f9d49944aca4596d139c46c3
                                                    • Opcode Fuzzy Hash: e79af47a96f9b5df69a22183b8825396bedb2a363832511fded4594812f7db63
                                                    • Instruction Fuzzy Hash: 4331B674900209CFDB05DFA8E5849AE7BBAFB88314F104535D505B7364DB38AD45CF91
                                                    Function 0143375F Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f084bf6a7f4e2da09f9e801ef94f8eac8491c792653c3171adaeb9248527e875
                                                    • Instruction ID: 0f08fdce4852922d0963298d138345fcf6ceba7306073bb38edc7ff756387195
                                                    • Opcode Fuzzy Hash: f084bf6a7f4e2da09f9e801ef94f8eac8491c792653c3171adaeb9248527e875
                                                    • Instruction Fuzzy Hash: 9B115B1130C2810FD32B6A394C1006F3FABABC757072941ABE945DB3F6DE248C078395
                                                    Function 01435C4B Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 44ad03411e62f60be69da5304028fcd05bc4324cd557b7560f6a0bbbf2eafab8
                                                    • Instruction ID: b4a0a6692081fcc59e30cf7658e03dd63af4941d1d8035028a29e7648f9bd7e8
                                                    • Opcode Fuzzy Hash: 44ad03411e62f60be69da5304028fcd05bc4324cd557b7560f6a0bbbf2eafab8
                                                    • Instruction Fuzzy Hash: AD216D30A042588FDB15CBA9C598ADDBFF1AF8D314F15419AD401BF361DB75AD41CBA0
                                                    Function 0143CEC0 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a4b60d0dd3705c8c04440830cdf88b195ff8c4d94dcb1188ba2b73d2daa2355
                                                    • Instruction ID: 1fba039793341284d3b67648874351ee6a133749e58aa8193d3cf727b7ffb300
                                                    • Opcode Fuzzy Hash: 8a4b60d0dd3705c8c04440830cdf88b195ff8c4d94dcb1188ba2b73d2daa2355
                                                    • Instruction Fuzzy Hash: 9A2164B5C00248DFCB15CFA8C5997ADBFB2AB48314F24806AE806B7390CB756904CF90
                                                    Function 01434B80 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c39c08cc9fb0f3e62e9c3417593e3812e858d00088d8e1c2b1b4900d8a50fffb
                                                    • Instruction ID: a294312519a8ef0d99370422ffc1dd1ef26e96c1c1bcfaf69dc23aa527c0f0a7
                                                    • Opcode Fuzzy Hash: c39c08cc9fb0f3e62e9c3417593e3812e858d00088d8e1c2b1b4900d8a50fffb
                                                    • Instruction Fuzzy Hash: 412154312442025FC719EB79F980EAEBBAEFFC4210B448A38D4058B668DF75ED4D8795
                                                    Function 0143CED0 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a8c97e11760f3849f6d6086cb842bfcebb4133a62d9422f9b221b3b6a55ea0e
                                                    • Instruction ID: 8b1f3fb0d2d1487b736374569378df4c236e5872baa863b62331e62b28a45bdf
                                                    • Opcode Fuzzy Hash: 2a8c97e11760f3849f6d6086cb842bfcebb4133a62d9422f9b221b3b6a55ea0e
                                                    • Instruction Fuzzy Hash: 0A213C74D00248DFCB15DF69C5996ADBFF6AB88314F20805AE806B7350CB756845CF90
                                                    Function 01436888 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ebe5bd72245b5f6a66382db06e8c3973eea58d6ca6fbcd2e2219854e42bb243b
                                                    • Instruction ID: 2154f2528df597db37ab9c577774fe1dd1097b7ed4c13362dc67be5df5bb60fd
                                                    • Opcode Fuzzy Hash: ebe5bd72245b5f6a66382db06e8c3973eea58d6ca6fbcd2e2219854e42bb243b
                                                    • Instruction Fuzzy Hash: BF215E71900206EBDB14DF69C5086EEBBF1AF89304F22805AC449A7261DB719B05CB92
                                                    Function 01435C68 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bcf22e1ac742c5e058188a3757bcafaab5c38f3934decce31053ca018587e892
                                                    • Instruction ID: 854ef2281d59c67ce6a76dd81771221ecbfa2e49763d4d10e6914a3bbd065b40
                                                    • Opcode Fuzzy Hash: bcf22e1ac742c5e058188a3757bcafaab5c38f3934decce31053ca018587e892
                                                    • Instruction Fuzzy Hash: D5216A35A002188FDB14DBA9D588ADDBBF1AF8C310F2040A6D506FB360DB75AD45CBA0
                                                    Function 01435911 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c149935575fb992ec54b6f1ded54cf0efcc4fbb6e40611aaf8c3157fd264e0d0
                                                    • Instruction ID: 47687995a1b05109cadc56c072ce900a6728994511b0f017fe5575a8a967de2c
                                                    • Opcode Fuzzy Hash: c149935575fb992ec54b6f1ded54cf0efcc4fbb6e40611aaf8c3157fd264e0d0
                                                    • Instruction Fuzzy Hash: 7A01C4713093809FC3169B79D85485EBFB5EFCB26032980ABD445CB3A3C5359C05C761
                                                    Function 014332E0 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d5f3c7f4e99833c9b7e1dc8a93c54cbb1f57853fd3ed4e16c54dca73ecf25db2
                                                    • Instruction ID: 5fce343ae96bd40985e53a3e7dbd4775bff9e89a0cbd2dec340284d263281a76
                                                    • Opcode Fuzzy Hash: d5f3c7f4e99833c9b7e1dc8a93c54cbb1f57853fd3ed4e16c54dca73ecf25db2
                                                    • Instruction Fuzzy Hash: 75119134A44244CFDB15EF74E858BAEBBB2EBCC324F50842AD50297295DF7A6805CB61
                                                    Function 01432A80 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ba0cf284e068d1a38209b4812495638926bf25e1b7d70abb829be33abf559e71
                                                    • Instruction ID: 905916cf527b686b5583299344982e527d665117e6783a6cc3059de3d9d49a26
                                                    • Opcode Fuzzy Hash: ba0cf284e068d1a38209b4812495638926bf25e1b7d70abb829be33abf559e71
                                                    • Instruction Fuzzy Hash: DE01A1342143018FC716EB38C4048AA7FF5FF8961431589AAC185DF362DB70EC098BD1
                                                    Function 0143C000 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: de3e7a01d430bef399e628a2409ddce7d2704b7b03b6367be55f3ac92b354fb1
                                                    • Instruction ID: c428b9b47a3e9771f9b15f9c86d75ed4fec962ea9c97214a48362af2f794f29b
                                                    • Opcode Fuzzy Hash: de3e7a01d430bef399e628a2409ddce7d2704b7b03b6367be55f3ac92b354fb1
                                                    • Instruction Fuzzy Hash: F8018C70310259CFCB45DF2CE884E89BBB9FF84618B0154AAE5058F636CB75ED44CB80
                                                    Function 01435940 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f997757ef197f9e9b792b3f31189256ae0438e1e28575ad6979c3a7ddd9887d6
                                                    • Instruction ID: 729bbd5609c372fe3d57f637114467b1fdfa80305a703ae13d95c5890acde1e0
                                                    • Opcode Fuzzy Hash: f997757ef197f9e9b792b3f31189256ae0438e1e28575ad6979c3a7ddd9887d6
                                                    • Instruction Fuzzy Hash: 9601A4763002108F8724EEADE498C6EBBEAFBC9672320857AE605C7350CE35DC0587A0
                                                    Function 014341D0 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ed30fe803edea748d05951a23ae67c8e43ca6a4dbb1e6b79f7dc412ee975d60
                                                    • Instruction ID: 7eb355ea3a4893e69f11b80a7093ce04527b7b28e65927348de1184945d9f653
                                                    • Opcode Fuzzy Hash: 2ed30fe803edea748d05951a23ae67c8e43ca6a4dbb1e6b79f7dc412ee975d60
                                                    • Instruction Fuzzy Hash: 08F04C313082402FC70AE365AC944FE7FAAFBCA060758086FD405E7692CE255C098366
                                                    Function 014332F0 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c6122bb86aa9f52ca8297e0a423cd6e63322f56edd6cb063aa4b2d0dc68ee4d0
                                                    • Instruction ID: d1626e770393e97072068fa6bc49fd47a689771d258afa457894f79056b3a15b
                                                    • Opcode Fuzzy Hash: c6122bb86aa9f52ca8297e0a423cd6e63322f56edd6cb063aa4b2d0dc68ee4d0
                                                    • Instruction Fuzzy Hash: 11014034A40204DBCB14EFB4E858BAE7BB6EBDC325F508429D502A7394DF795805CB61
                                                    Function 01431FF8 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 06ac9127602290e3a7bc6a6ddc4d81f3a81519fad81525b7708536b49295d028
                                                    • Instruction ID: 30d3a2c726c65d3ee0b34c50d31439cf4fd425d414181359cd066c763c708852
                                                    • Opcode Fuzzy Hash: 06ac9127602290e3a7bc6a6ddc4d81f3a81519fad81525b7708536b49295d028
                                                    • Instruction Fuzzy Hash: DFF082363492804FC713577998684697FA99FCA52431A04EBE145C7273C971DC0AC752
                                                    Function 01436398 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eda11eb0302ccfbc96e8811cc09549c6be6390dd412a96961a58ae36d6b75483
                                                    • Instruction ID: f7423c9306cc8ad8c4953b35e656dfcfc28e72f0f64257427be3ee22b59b8d0a
                                                    • Opcode Fuzzy Hash: eda11eb0302ccfbc96e8811cc09549c6be6390dd412a96961a58ae36d6b75483
                                                    • Instruction Fuzzy Hash: 7FF08230A40209EFCB00EFF8E9445ADBBF5EF98201F5041A89808E7380DB305E04DB51
                                                    Function 01432D94 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd0dfbf047e7693f69eb20fc35f5babe9b65e26f4db25ee30e6fd0422565e5a4
                                                    • Instruction ID: 6fbe31ff983f6791124f8578f3eb86430436f6ba5fe712a2738e7bb2bfd41e0a
                                                    • Opcode Fuzzy Hash: bd0dfbf047e7693f69eb20fc35f5babe9b65e26f4db25ee30e6fd0422565e5a4
                                                    • Instruction Fuzzy Hash: 9DF08C34A24108CFC784EFADD4096E9BBF1FF4C304B2081A9D519D7302DB728912CB91
                                                    Function 014366C8 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8e4181f170558ce90c68d5bfedc9e686ba5f02a6b79ac559fbaa9423e0283dc
                                                    • Instruction ID: 2b5077d5ed640a722a2627f4d2fcb1b614107ba12632f8916ff14dbd0bbe9460
                                                    • Opcode Fuzzy Hash: f8e4181f170558ce90c68d5bfedc9e686ba5f02a6b79ac559fbaa9423e0283dc
                                                    • Instruction Fuzzy Hash: A5E0DF21A093D16FC3015A2C6818099BFB5DECB5A130B01EBE008DB3A6CE244D099396
                                                    Function 01432DA0 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cca3b76f4ee0014346f230fb0899a1be9e176828aba2955a951ac3882b6676c2
                                                    • Instruction ID: 4421f22980cc16c8df114c5d1eea6fc4caa5f309bfa590645ba99356031e6d70
                                                    • Opcode Fuzzy Hash: cca3b76f4ee0014346f230fb0899a1be9e176828aba2955a951ac3882b6676c2
                                                    • Instruction Fuzzy Hash: 22E03971E201188F8B84EFAC88086DE7BF5EF48210B5140AAD519E3310EA7099018B91
                                                    Function 01436469 Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 896642af378edc9018d163899612c7f56c4c58e09b5843623d97e6a45985f94a
                                                    • Instruction ID: cca614c0a3da07ee9631395ec40a98f8b52b961c957d30381325d8a258a283f8
                                                    • Opcode Fuzzy Hash: 896642af378edc9018d163899612c7f56c4c58e09b5843623d97e6a45985f94a
                                                    • Instruction Fuzzy Hash: AAE0E279688300AFC308DB289454816B7AEEF89720B1544A5E508DB376D929EC42871A
                                                    Function 0143CFFE Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a957bd5c84e6fd88fa38767f7f58bb50670f1f5b25125dc7b3d53e619cd42db
                                                    • Instruction ID: 33ef9f99d47c724cbfd15de0676011ecfc923f75d362f5bba1846fe0874bbda4
                                                    • Opcode Fuzzy Hash: 2a957bd5c84e6fd88fa38767f7f58bb50670f1f5b25125dc7b3d53e619cd42db
                                                    • Instruction Fuzzy Hash: EAD0A77C81524487EF204A9191193757D619FD835EF14C1ABB41B4A6A0CBF68087DE50
                                                    Function 01436478 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d038f7279c285ec0f586f14b50734eba47f6181f2b0bf7c0bde727094567baca
                                                    • Instruction ID: e5b4aeeb7b1dd7d3bc66d02e5d0893cb3cfc6ed387d2f1e469a1597bf9cc0a9a
                                                    • Opcode Fuzzy Hash: d038f7279c285ec0f586f14b50734eba47f6181f2b0bf7c0bde727094567baca
                                                    • Instruction Fuzzy Hash: C4C0C9347842044F83089A58E04082573AEFB88610B1000B4E60987335C924EC418619
                                                    Function 01435640 Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a150139e15b8d3b5c8a986eb1ee31ae62aed39d12c1ad19d64069495eccf9ba
                                                    • Instruction ID: 2856778a32c021b4f35eb722b84032d67933f3ddfeaaa1547edacb2c914d2f93
                                                    • Opcode Fuzzy Hash: 2a150139e15b8d3b5c8a986eb1ee31ae62aed39d12c1ad19d64069495eccf9ba
                                                    • Instruction Fuzzy Hash: ACB02B301402095796100519FC084223B1DEB900243104196AD0C05210BD33C4111580
                                                    Function 0143CAA0 Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.3311333947.0000000001430000.00000040.00000800.00020000.00000000.sdmp, Offset: 01430000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1430000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a860e4d6a5211264ce48b4dc0780f22ec86bca1740d42cd57528a9bd0c32baa3
                                                    • Instruction ID: ecfe05182f077dacea1361941d9dfeca13baad4c254535e024283c15140b2e77
                                                    • Opcode Fuzzy Hash: a860e4d6a5211264ce48b4dc0780f22ec86bca1740d42cd57528a9bd0c32baa3
                                                    • Instruction Fuzzy Hash: CAB092F2EA09C44BEF004DC28D8A3902FB0E7B0303F211041A00789280EC84A4028A14

                                                    Executed Functions

                                                    Function 01244F58 Relevance: 7.9, Strings: 6, Instructions: 391COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq$(aq$(aq$(aq
                                                    • API String ID: 0-2219660067
                                                    • Opcode ID: 99e127f7d8be3cbeb39a00bf282d7ec638bf2317c5e6bb04d6538e1d67482205
                                                    • Instruction ID: 1af7ae49039e60464d06b7454c69b39948ebfa3511e384dd7792fccef71c700f
                                                    • Opcode Fuzzy Hash: 99e127f7d8be3cbeb39a00bf282d7ec638bf2317c5e6bb04d6538e1d67482205
                                                    • Instruction Fuzzy Hash: 12E18B30E102198FDB09EF68D4546AEBBF2BF88310F14C16AD946EB395DB749D42CB91
                                                    Function 01243860 Relevance: 4.4, Strings: 3, Instructions: 686COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq
                                                    • API String ID: 0-2593664646
                                                    • Opcode ID: 6e590ceb60f790e1f63b2e0d42caa27a3f81358faa50ddd09c557adfcf513516
                                                    • Instruction ID: 7a1dd89aa18b3dff4c8def3d421287c11cf13a9b23a24dc55781136d530b6f84
                                                    • Opcode Fuzzy Hash: 6e590ceb60f790e1f63b2e0d42caa27a3f81358faa50ddd09c557adfcf513516
                                                    • Instruction Fuzzy Hash: 1E428035B102159FDB09EF69D864AAE7BB7FF88300F148429E905A73A9DF349C06CB51
                                                    Function 01241049 Relevance: 2.1, Strings: 1, Instructions: 843COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `5
                                                    • API String ID: 0-3973472792
                                                    • Opcode ID: f0271345231f2f53afceb7c747a6b6e484210f7f7c71e6f9595f8dae215db769
                                                    • Instruction ID: 31258e8573f63dc5ae9709074a2d1e712674b79fbc18ff331207e3b54ffc2f23
                                                    • Opcode Fuzzy Hash: f0271345231f2f53afceb7c747a6b6e484210f7f7c71e6f9595f8dae215db769
                                                    • Instruction Fuzzy Hash: D88225B964020DDFDB06EBA5E654B6E7B7BEF88300F104815E800237ADCB396D45DB26
                                                    Function 012435F0 Relevance: 5.2, Strings: 4, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq$(aq
                                                    • API String ID: 0-3514690552
                                                    • Opcode ID: 279c46a230a1b1554089c7836708e0f58e0d7718b14167cc187f18f3ad8b1395
                                                    • Instruction ID: b8bcbd0e467debe97eba3f073df0c12bb3fb9a053e19e094a1b2b311c140d723
                                                    • Opcode Fuzzy Hash: 279c46a230a1b1554089c7836708e0f58e0d7718b14167cc187f18f3ad8b1395
                                                    • Instruction Fuzzy Hash: 94512831B142561FE31EAB39986057F7BE7FFC621071885A9D906CB399DE24CC0B8396
                                                    Function 01245640 Relevance: 4.0, Strings: 3, Instructions: 211COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq
                                                    • API String ID: 0-2593664646
                                                    • Opcode ID: ccb13d4e4e38dd99635f0a60ecf17c1b83e533ae326725455b4174e8260a3f33
                                                    • Instruction ID: 8b8427c5724eab7f9b7d4d1bc167cf316c8bd828f89115ddc49d3656db7ba320
                                                    • Opcode Fuzzy Hash: ccb13d4e4e38dd99635f0a60ecf17c1b83e533ae326725455b4174e8260a3f33
                                                    • Instruction Fuzzy Hash: 11719F34B102058FD709DF69D498A6EBBF6AFC9610F248069E506EB365DF70DC46CB50
                                                    Function 01241058 Relevance: 2.1, Strings: 1, Instructions: 835COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `5
                                                    • API String ID: 0-3973472792
                                                    • Opcode ID: 5dffb6f6fe1898ddbff013e72a89dd3f22608fde4fcf933c0a29e6b87758bc6d
                                                    • Instruction ID: 463faafcdb4cdc21ee82464c2774b7c21e60946d9540ed545f1e91b54d2b9ce6
                                                    • Opcode Fuzzy Hash: 5dffb6f6fe1898ddbff013e72a89dd3f22608fde4fcf933c0a29e6b87758bc6d
                                                    • Instruction Fuzzy Hash: 9B8235B964020DDFDB06EBA5E654B6E7B7BEF88300F104815E800237ADCB396D55DB26
                                                    Function 0124BEAF Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q
                                                    • API String ID: 0-52440209
                                                    • Opcode ID: d533f16fcb5cb920ed6250c4dada52ea0bde9bfaf38ffa607848b12ddde96f0c
                                                    • Instruction ID: 2c9957ebaab2b5a074993b042f44d67a2a04d14ecdbf9515f02887e804c8328e
                                                    • Opcode Fuzzy Hash: d533f16fcb5cb920ed6250c4dada52ea0bde9bfaf38ffa607848b12ddde96f0c
                                                    • Instruction Fuzzy Hash: 85419134B102058FC754DF2DC898A6EBBE6FF88710B2580A9E506DB3B5DB71DC028B81
                                                    Function 0124BEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q
                                                    • API String ID: 0-52440209
                                                    • Opcode ID: 6a345b08197f1d4978977924a8278c21137b83e46029e1bc0fd7be8a15d720b9
                                                    • Instruction ID: 2de8bbffeff5092abe507782e79c178b2781311556667e76905e1a87615958f9
                                                    • Opcode Fuzzy Hash: 6a345b08197f1d4978977924a8278c21137b83e46029e1bc0fd7be8a15d720b9
                                                    • Instruction Fuzzy Hash: BD417034B105058FC758DF6DC498A6EBBE6FF88710B2584A9E506DB3B5CB71EC018B81
                                                    Function 01242B10 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: 001ae61d4ba02a809c3d6190f1de82ede1799e4e24be21f7bea335699e7c1a45
                                                    • Instruction ID: 0913950fb1d60c5af6aaa1c03a4f2b77bf8fb86e34fd188397c20790d5342a92
                                                    • Opcode Fuzzy Hash: 001ae61d4ba02a809c3d6190f1de82ede1799e4e24be21f7bea335699e7c1a45
                                                    • Instruction Fuzzy Hash: EB31FA357102058FD749EB39D46866E33B2EBC9A19720857DD10ACB3A4DF3ADC438B96
                                                    Function 01242B20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: ed8690fa99c950dd61c7f54e67e6cb82bee1bbee979e1141e329a0575c0130c0
                                                    • Instruction ID: fe655c3820f219811e570abf9d78f1c936be2565cab4379a6a3f4e10d6bdd106
                                                    • Opcode Fuzzy Hash: ed8690fa99c950dd61c7f54e67e6cb82bee1bbee979e1141e329a0575c0130c0
                                                    • Instruction Fuzzy Hash: 9331EC357102158FD749EB39D46492E33B2EBC9A19720856DD10ACB3A4DF36DC438B96
                                                    Function 01244248 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq
                                                    • API String ID: 0-600464949
                                                    • Opcode ID: b15ee4a4db98f4fdfda47ef42ec582d34cb0137da5572368913998ed3e96c356
                                                    • Instruction ID: b58c540a71b3101eed5b572acf135d67c2601bf602f8276d59bf749d0f837d68
                                                    • Opcode Fuzzy Hash: b15ee4a4db98f4fdfda47ef42ec582d34cb0137da5572368913998ed3e96c356
                                                    • Instruction Fuzzy Hash: 300168327182810FD30EA73CA42066E3F97EFD251074884AEC4418B385CEA89C06C3D1
                                                    Function 0124B0B0 Relevance: .7, Instructions: 680COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c8d36dce318bef383e10539b816f81801b74a2266143a2e9e37e52282d23cfca
                                                    • Instruction ID: 818bccbc700f753b10f92237768c76a160b38ab982b53f96af1d3484751254ad
                                                    • Opcode Fuzzy Hash: c8d36dce318bef383e10539b816f81801b74a2266143a2e9e37e52282d23cfca
                                                    • Instruction Fuzzy Hash: D1526939A21201CFC759EF38E54892D7BB2FF89305B64846AD51A8B3A9DB71EC41CF41
                                                    Function 0124AF90 Relevance: .2, Instructions: 201COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b1bdc10cb3f268ad17b90a801612986583a9c5519eab15a07212645c972ce20
                                                    • Instruction ID: d023a9c921377cf3e7aa9432cd7576cda8892637e6c7046485fd5daf72237eda
                                                    • Opcode Fuzzy Hash: 6b1bdc10cb3f268ad17b90a801612986583a9c5519eab15a07212645c972ce20
                                                    • Instruction Fuzzy Hash: B161E4319193E54FC7079B3CD9616D9BFB4EF43214F0940ABC0548B2A7EA68980DC7A6
                                                    Function 0124C060 Relevance: .2, Instructions: 187COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7a75887804a1217a5e659f9ce9d10267f5d20e8cd35dd7d11c1c79414c4a6cc5
                                                    • Instruction ID: b34d2a0d9bb6ee335b36d9dfc86a706e1a67347ad2e20a9615320a17301b5233
                                                    • Opcode Fuzzy Hash: 7a75887804a1217a5e659f9ce9d10267f5d20e8cd35dd7d11c1c79414c4a6cc5
                                                    • Instruction Fuzzy Hash: 44712A315517059FC359DF24D99059BBBB6FF80204354CA2EC58A4BAA4EFB2F90ACBC0
                                                    Function 0124C070 Relevance: .2, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3220c952c2cb649d1884527685dc561b4aba16b28893ddc7b23f1b6514ca2974
                                                    • Instruction ID: 362807e77e76dcef19c86eb4bb8bddc5751db05e011abb47fb98e25896ef2083
                                                    • Opcode Fuzzy Hash: 3220c952c2cb649d1884527685dc561b4aba16b28893ddc7b23f1b6514ca2974
                                                    • Instruction Fuzzy Hash: 47712A315517059FC359DF24D99095BBBB6FF80304354CA2E858A4BA68EFB2F90ACBC0
                                                    Function 0124BB99 Relevance: .2, Instructions: 173COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d9f011d4e94c7161df6415bb733d6522fc91569480e9722a87c1d2a268da40a8
                                                    • Instruction ID: b75a0fa56da3bd8f4a61c641d9b34489e4930366e34266a8761a2e80589ec0ed
                                                    • Opcode Fuzzy Hash: d9f011d4e94c7161df6415bb733d6522fc91569480e9722a87c1d2a268da40a8
                                                    • Instruction Fuzzy Hash: BB814979A11241CFC3AAEF18E689D1ABBB6FB88304B54C56AD5148B36DC770EC49CF40
                                                    Function 0124385A Relevance: .2, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4889178b5ef9019d5582ae9c196e6281745d673274dd1ac4877b72e32d2721f3
                                                    • Instruction ID: 1e0873f82445661d603c77d3bc15cc40055dedb1e375b31a8cb52efe0aa1ff5b
                                                    • Opcode Fuzzy Hash: 4889178b5ef9019d5582ae9c196e6281745d673274dd1ac4877b72e32d2721f3
                                                    • Instruction Fuzzy Hash: 56612E75B11219EFDB09DFA9E954AAEBBB6FF8C310F108029E905A7364DB359C01CB50
                                                    Function 012438BA Relevance: .2, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bc5e87a59a9c166ad5e20a107bee6cd27e73cf873a3b0f567ef431a90d9dc603
                                                    • Instruction ID: 3b9fc60d7482318da7975630d7a32ff47351ca6861cb86719a9125a2a485ec7f
                                                    • Opcode Fuzzy Hash: bc5e87a59a9c166ad5e20a107bee6cd27e73cf873a3b0f567ef431a90d9dc603
                                                    • Instruction Fuzzy Hash: 6C517E35A10219EFDB09DFA9E994AADBBB6FF8C310F108119E905A73A4DB35DC05CB50
                                                    Function 01245AA0 Relevance: .1, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: beacefd305812a87769c49f4bb1d6233b0efc90009bf1c136ec295e46aa7c717
                                                    • Instruction ID: 8b06e93eb543bf7279be3c6149bfea9944d85e1a3a583d9374986a5112b4b8f4
                                                    • Opcode Fuzzy Hash: beacefd305812a87769c49f4bb1d6233b0efc90009bf1c136ec295e46aa7c717
                                                    • Instruction Fuzzy Hash: D5512A75B102068FCB08DF68D99496EBBF6EF88210B114169E50ADB365DB70EC05CFA0
                                                    Function 0124C798 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7823c7fa686781076c55776dba7ddc3a41ccf2c50c5bf9dc4c66d73e82a065eb
                                                    • Instruction ID: f3498f4bbd656dbf69101add4b286f7fd520f0c8ea2ed5d4761c03e608638b59
                                                    • Opcode Fuzzy Hash: 7823c7fa686781076c55776dba7ddc3a41ccf2c50c5bf9dc4c66d73e82a065eb
                                                    • Instruction Fuzzy Hash: 795119316117059FC319DF28D94089ABBA6FF85204354CA2EC08A9B664EF76F90ACFC0
                                                    Function 01245240 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5203e43928ed3275af13cb7c5e83819d9b6ff236a24387324090143f3fb3c655
                                                    • Instruction ID: 14164e0249884fa7f1ab446f30931c31d1d79595416ec5acb40b30c618bd61d9
                                                    • Opcode Fuzzy Hash: 5203e43928ed3275af13cb7c5e83819d9b6ff236a24387324090143f3fb3c655
                                                    • Instruction Fuzzy Hash: EE516C30A20219DFDB08DFA9D494AAEBBF2FF88311F148169E945AB354DB709C41CF90
                                                    Function 01242850 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a5fd3416a4f1fdac6c196c6e53b2a7fb9abf5189a60438dc43d0332c6b4f4e3e
                                                    • Instruction ID: c8843de9fc92c54052cd7a2153dca0f2d1e34d58fe64b6014e66a56c82b3efea
                                                    • Opcode Fuzzy Hash: a5fd3416a4f1fdac6c196c6e53b2a7fb9abf5189a60438dc43d0332c6b4f4e3e
                                                    • Instruction Fuzzy Hash: 5241D534E60208CFDB19EFA5E9949DDBBB6FF88300F245529E901A7368DB749845CF50
                                                    Function 01245A91 Relevance: .1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5d5d1f076534e47ff3e4263d6f422f8861b11d5b0c04b455296daa8a04e22346
                                                    • Instruction ID: 2455a19e264719df100fbfc1b4ad322696292a761b20447ca4d6ca22eaf8a312
                                                    • Opcode Fuzzy Hash: 5d5d1f076534e47ff3e4263d6f422f8861b11d5b0c04b455296daa8a04e22346
                                                    • Instruction Fuzzy Hash: 14415A75B102068FC709DF68D994D6ABBF6EF88314B1181A9E509DB376DB70EC06CB60
                                                    Function 01242842 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01ae8a8388305fd0ad4836ce4b052c28c2732da5adcc8669f599b2b7dc65095b
                                                    • Instruction ID: 9105ec2b7f641fc889cf4111d1ff2433c02b497544c04a64e3230792a99d61b6
                                                    • Opcode Fuzzy Hash: 01ae8a8388305fd0ad4836ce4b052c28c2732da5adcc8669f599b2b7dc65095b
                                                    • Instruction Fuzzy Hash: 52316074E60209CFDB19DFB5E5949ED7BB6FF88300F244529D901A7368EB749845CB20
                                                    Function 01245308 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7d46f3c8b29ae9d2fec4cf405127a87c1bf631d3fef7dbc655565128ca0906d8
                                                    • Instruction ID: 9eab53920e47e560c59391c2ebd78d2779bfdbd93442981554f6b2d5b1ecb161
                                                    • Opcode Fuzzy Hash: 7d46f3c8b29ae9d2fec4cf405127a87c1bf631d3fef7dbc655565128ca0906d8
                                                    • Instruction Fuzzy Hash: 0B41FB35A10115DFDB08EFA5E4949ADBBB2FF88311F108069E906EB364DB349D42CF90
                                                    Function 01242C48 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9a62481cdc79c5566a9f1b48fa1983249cfe9ee641f18c9b7a072abb9e3bf076
                                                    • Instruction ID: 6abd15cdc6080c0cd60778d96736a735ec4a5433d9c0755de8bff50f0bea9668
                                                    • Opcode Fuzzy Hash: 9a62481cdc79c5566a9f1b48fa1983249cfe9ee641f18c9b7a072abb9e3bf076
                                                    • Instruction Fuzzy Hash: 1E415C75A1020ACFCB05EFA8E994AEEBBB5FF48314F10456AD501A7368DB349E45CF90
                                                    Function 01242C58 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2eb19aaa84efb34a28412ed5156cf7ced9e26bd8549e93a33d086552aa1cefb
                                                    • Instruction ID: 30ac4ec54eba3597f2642d8b1d53a1451f255826632936aa4fe96be2379a4452
                                                    • Opcode Fuzzy Hash: b2eb19aaa84efb34a28412ed5156cf7ced9e26bd8549e93a33d086552aa1cefb
                                                    • Instruction Fuzzy Hash: C1313C75A1020ACFCB04EFA9E594AEE7BB6FF48310F10452AD501A7368DB349E45CF90
                                                    Function 0124288D Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: daa6d789388825e2087959ce5a7ec5d456fc4cd292c7cfd8f33413022ecad1a6
                                                    • Instruction ID: 9fa58086e9ddc97893252fb11dbbf6fc6e9478eded510b72785811c2787196d8
                                                    • Opcode Fuzzy Hash: daa6d789388825e2087959ce5a7ec5d456fc4cd292c7cfd8f33413022ecad1a6
                                                    • Instruction Fuzzy Hash: 85315E34E20208CFDB18DFA5E5949DDBBB2FF88340F24552AE901A7368DB749C45CB20
                                                    Function 01244B70 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a55530ff84519e9e680b0d75d14f16724f1a41094b4fac0e6c8f49b8d870e8e6
                                                    • Instruction ID: f712953681b9ac0fbde12e712174ccf3961120e53b2d38b6839f7a902fe3b5cb
                                                    • Opcode Fuzzy Hash: a55530ff84519e9e680b0d75d14f16724f1a41094b4fac0e6c8f49b8d870e8e6
                                                    • Instruction Fuzzy Hash: F721C7316543065FC71AEB78E880A5E7BAAFFC0204B048A79D0159B368DBB4ED4DC794
                                                    Function 0124CEC0 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ff6194a6331c7918d6fa6e6dee55ea712dc20c500658d37a4626e702631a9e16
                                                    • Instruction ID: f6351192ecf0265375c786c7a995430c597dc64a356b4ea72f54ec167ca1faee
                                                    • Opcode Fuzzy Hash: ff6194a6331c7918d6fa6e6dee55ea712dc20c500658d37a4626e702631a9e16
                                                    • Instruction Fuzzy Hash: 0F216674D22248DFDB15CFA8D54ABDDBFF2AF48310F24846AE805A7290CB7A5845CF90
                                                    Function 01244B80 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6c81f5fbf7a8bcd52856f11edd07157521c36ad4e95465d3f50dc9545d263ca
                                                    • Instruction ID: 36acf8b584075de8cdd0a9f1c77986e49583c9acb73c2bbe94bab08e92f9d23c
                                                    • Opcode Fuzzy Hash: b6c81f5fbf7a8bcd52856f11edd07157521c36ad4e95465d3f50dc9545d263ca
                                                    • Instruction Fuzzy Hash: E8216F316202065FC719EB69E980A5E77AAFF80214B048A39D4198B768DFB4AD498B94
                                                    Function 0124CED0 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f7b951dd48a79b1655b253cd84fea517147072e393e176f24fa6c1c979d9faa
                                                    • Instruction ID: 364f91d2c85229d29baa0bbc358831bf6878147f2ff0f2be6b3b04ab9bf3d559
                                                    • Opcode Fuzzy Hash: 4f7b951dd48a79b1655b253cd84fea517147072e393e176f24fa6c1c979d9faa
                                                    • Instruction Fuzzy Hash: 9A213774D11248DFDB15DFA8D549A9EBFF6BF48310F20805AE809A7380CB795845CF94
                                                    Function 01244237 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 236ed8c302de1af2a1f3817ee8e09a4c102fb4f728b11a8479b83216b072e884
                                                    • Instruction ID: a87304d573ca8076bb918c6d42dcb3c6e8bb84b8c5c64937a549a7b0e93a54dd
                                                    • Opcode Fuzzy Hash: 236ed8c302de1af2a1f3817ee8e09a4c102fb4f728b11a8479b83216b072e884
                                                    • Instruction Fuzzy Hash: 411102327142051FC30DAB69B85056E3B9AFFC5610748492AD8059B384CFA5AC4A8799
                                                    Function 01242908 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: adf3b45b01245841d10a5ec7d85e598d3b5527d7bda6a04f628c6e5be5f6806a
                                                    • Instruction ID: 363a4213f16743acd19a4754309047886c26323135f971ac7cc7e784fdd0f709
                                                    • Opcode Fuzzy Hash: adf3b45b01245841d10a5ec7d85e598d3b5527d7bda6a04f628c6e5be5f6806a
                                                    • Instruction Fuzzy Hash: 1E211B34E20119CFDB19DFA9E9909EDBBB6FF88340F14812AD915A7368DB749805CF20
                                                    Function 01245C68 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c4f9c889b5de14ba305fa18b04c30bf87eb63d6a6ea7d12d2a6e22625dac5387
                                                    • Instruction ID: f943ae8a4d18eba3d6d933fd6beae7d2bab90200f70d0e78a14893b0d0559e34
                                                    • Opcode Fuzzy Hash: c4f9c889b5de14ba305fa18b04c30bf87eb63d6a6ea7d12d2a6e22625dac5387
                                                    • Instruction Fuzzy Hash: 03216735A00219CFDB18CBA9D588BDDBBF1AF4C310F2001A9E545BB360DB75AD44CBA0
                                                    Function 01246888 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 062947943ed4ad39f7f43ac5324a90504eae49b0b2e4fa5e099565c1c3c96864
                                                    • Instruction ID: 9f8d382b4aac478d009e0823bfb1f7bb27f83a18da02a59c599b94d28b8a95b6
                                                    • Opcode Fuzzy Hash: 062947943ed4ad39f7f43ac5324a90504eae49b0b2e4fa5e099565c1c3c96864
                                                    • Instruction Fuzzy Hash: F811E975E10106CFDB18CFA4C9497EDBBF2AF46304F14806AC109BB251DBB54E45CB51
                                                    Function 0124296A Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48b72af353308adb4328d4e00ceffc625745584f5a7ddec0b8c36f48d90d0120
                                                    • Instruction ID: 71e0c6bc181eae17a3d42c2d50b76ba94f04a9e09fc19cbf50087a9c6ad1aa5d
                                                    • Opcode Fuzzy Hash: 48b72af353308adb4328d4e00ceffc625745584f5a7ddec0b8c36f48d90d0120
                                                    • Instruction Fuzzy Hash: 2E21E934E50208DFDB19EFA8E99099DBBB6FF88300F24412AE905A7368DB749D45CF50
                                                    Function 01245C59 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4033678ed9e6132c31856ce1eb3bec0e3b3622ff2512b1232416ad653a72dce6
                                                    • Instruction ID: 357db5967e9a568a886e7e87a427bb0c96e05796fdc1de7d32f962d8a45f3af2
                                                    • Opcode Fuzzy Hash: 4033678ed9e6132c31856ce1eb3bec0e3b3622ff2512b1232416ad653a72dce6
                                                    • Instruction Fuzzy Hash: 6221AC30A00219CFDB19CFA9C598BEDBBF1AF4C300F2401A9E541BB265CB359D41CB60
                                                    Function 012441A2 Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f2009cfe60a585bbf80ed16d4d0d8f0e7366fff001222a7b1f28e513bf311c73
                                                    • Instruction ID: f4f5c8979eb779e70817e8786fadde3fb7c15372f1a65973c77231c21b664191
                                                    • Opcode Fuzzy Hash: f2009cfe60a585bbf80ed16d4d0d8f0e7366fff001222a7b1f28e513bf311c73
                                                    • Instruction Fuzzy Hash: 6A01F53171D3855FC30A6B6998605AF3FAAEFC6110754849BD405DB386CE214C0687A6
                                                    Function 012466F9 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d67576b46f00a666d5e49bcc88388900b0703a1e3f7cc8e3c542a83b1281f3ea
                                                    • Instruction ID: 7b7bff5c5d44c08d050a604779d916d6cd8119d01fb6562e5984478bbc7915b3
                                                    • Opcode Fuzzy Hash: d67576b46f00a666d5e49bcc88388900b0703a1e3f7cc8e3c542a83b1281f3ea
                                                    • Instruction Fuzzy Hash: 5F01B1317042409FC31A9B7CB85889E7FA6EFCD261308867AF10ACB355CE65DC0A8B80
                                                    Function 0124C000 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b1cfb5faa0eaa38c937036999882160431ccf0272c8c1bda937d92b9c977dd01
                                                    • Instruction ID: ec446c0c659e3728058fb2bc2bf86c476c00618eab9c4f8e393790b2d189525d
                                                    • Opcode Fuzzy Hash: b1cfb5faa0eaa38c937036999882160431ccf0272c8c1bda937d92b9c977dd01
                                                    • Instruction Fuzzy Hash: 69118B303202598FCB09DF28F899D89BFB9FF45314B1984A9E5458B23ACB71E905CB81
                                                    Function 012432E0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eeb1f6145bfef56d1b6ee6055d99987397eda10e4b9ef430b463b16bff6ae51a
                                                    • Instruction ID: 3b20cde2dd7b36905a17581d92270c78bfad36f598f57c198738bc7e482fd23a
                                                    • Opcode Fuzzy Hash: eeb1f6145bfef56d1b6ee6055d99987397eda10e4b9ef430b463b16bff6ae51a
                                                    • Instruction Fuzzy Hash: B8115E35E94244CFCB08EFB4E4687AE7BB2AB88301F00482AE402D7385DB755C55DF51
                                                    Function 01242A80 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b92d1720af7de40ecfc066bd2ee9b0bd1583f1b5c772671686f3128bfea3d440
                                                    • Instruction ID: 9d4bc623b93905a1ee1b019245c7e62f23b4bac99aa7ff230f7f90a548efbae9
                                                    • Opcode Fuzzy Hash: b92d1720af7de40ecfc066bd2ee9b0bd1583f1b5c772671686f3128bfea3d440
                                                    • Instruction Fuzzy Hash: 5A0188316607008FC30AAF38D44888A7BF5FF8561470189AAE09ACF365EB71EC048FD2
                                                    Function 01245940 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6a6d4ae0a1c8602fb2efa1799370d9a3208a6996cdc090705ce86114344fc682
                                                    • Instruction ID: b5197d40201953bb26fda8a19b8e17e76489129052ee4522383af6b98d5e045e
                                                    • Opcode Fuzzy Hash: 6a6d4ae0a1c8602fb2efa1799370d9a3208a6996cdc090705ce86114344fc682
                                                    • Instruction Fuzzy Hash: 7A01AF767102108F8719EF69E89486EB7ABFBC9665310853FEA06C7344CE71DC12CBA0
                                                    Function 012441D0 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 10248f54089985521c1210da1c9229cb54cbf0580af42517bfc42bea17dea85f
                                                    • Instruction ID: b7961a55e8c138edbb765513dddba04365c5aba86b80bd955ac8e70a2e352266
                                                    • Opcode Fuzzy Hash: 10248f54089985521c1210da1c9229cb54cbf0580af42517bfc42bea17dea85f
                                                    • Instruction Fuzzy Hash: A8F09572A143052FC30EABB9BC5046F3B6EFFC5110744486AD415E7384CF615C0587E5
                                                    Function 012432F0 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5cfc014b79b355ea068c2155587cdc71f059291e8d99f375c6f8757c379f9359
                                                    • Instruction ID: 0ec0df001cef32f865b7b650cbc546a0db5adc27df41d0e9690c6f76ce63ddb8
                                                    • Opcode Fuzzy Hash: 5cfc014b79b355ea068c2155587cdc71f059291e8d99f375c6f8757c379f9359
                                                    • Instruction Fuzzy Hash: 20011A35E64244CFDB08EFB9E868BAE7BB2AB88301F004829E502E7384DF755C15DB50
                                                    Function 01242A90 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 96efb36c9e0859367d2e7c12b03da850a37585edcbce95c1c9e2782fdd04ee53
                                                    • Instruction ID: 4032c59505e902d55897d6d8842ac7d7a7afc4a3fc2f36078e8e2b1bcd9d55e2
                                                    • Opcode Fuzzy Hash: 96efb36c9e0859367d2e7c12b03da850a37585edcbce95c1c9e2782fdd04ee53
                                                    • Instruction Fuzzy Hash: 4CF046316207048FC719AB29D44885A7BE6FF8461871089AAE19ADF364EBB1EC048BD1
                                                    Function 01246388 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1e6d0735d53cf503c19e46ceb47147804b704588abad988d7a877475cab1d3cd
                                                    • Instruction ID: 34d2cf1b5bacd0efd5624ca947c5ad35207980cef4efdecb14e99cdb9f485598
                                                    • Opcode Fuzzy Hash: 1e6d0735d53cf503c19e46ceb47147804b704588abad988d7a877475cab1d3cd
                                                    • Instruction Fuzzy Hash: F5F0AF30D25288AFCB45EBB8E85159DBFF2EF8A200F2085E9D488A7355DA300E06DF11
                                                    Function 0124593F Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e1be38ec525b79cb736e356e6d7d38767328dc5aa576b0a40724f1333a728254
                                                    • Instruction ID: 935f6e58033c5d1ad5e4b99ee554664f3aec0f870cc90f1cb1da3348634b0567
                                                    • Opcode Fuzzy Hash: e1be38ec525b79cb736e356e6d7d38767328dc5aa576b0a40724f1333a728254
                                                    • Instruction Fuzzy Hash: F9F05E767102109F8719DF29E4948AEBBB6EBC9265324856EE906C7314CA71CC12CBA0
                                                    Function 01242D92 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 35b5a2f7522ac44be282e336e9aeb98c139562018f31125c377a0b0ca954a39f
                                                    • Instruction ID: 24098ac1dcf4ab10a22a367d95f617d46417bc308c43cef407b5a15235f46cde
                                                    • Opcode Fuzzy Hash: 35b5a2f7522ac44be282e336e9aeb98c139562018f31125c377a0b0ca954a39f
                                                    • Instruction Fuzzy Hash: 62F05876E20049CFC789EFB8D8056DE7BF0EF49300B1180A5D509EB352EAB08D019B91
                                                    Function 01246398 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6498568e30a1901a4cfeffc31dbcca18ec8165af8afa00a4e7bdd42397f4f5b0
                                                    • Instruction ID: 030084105ee8b7c4da5c5c7fe3db1e85a7abb85ed4993d54a28281d5614b40b0
                                                    • Opcode Fuzzy Hash: 6498568e30a1901a4cfeffc31dbcca18ec8165af8afa00a4e7bdd42397f4f5b0
                                                    • Instruction Fuzzy Hash: C6F08C30E2120DEFCB44EFB8E94495DBBF6EF84200F1081A89808E7384EA305E04DB51
                                                    Function 01241FF8 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 58727b0065e058e178563eab9f7f089acdfa5d441dfb2dccd81160c5def671c9
                                                    • Instruction ID: bcf8d54c1c6f183544834f98221ec60a428badb8359145a65f4903ad50545a92
                                                    • Opcode Fuzzy Hash: 58727b0065e058e178563eab9f7f089acdfa5d441dfb2dccd81160c5def671c9
                                                    • Instruction Fuzzy Hash: 48E0DF36B813804FCB066B79D0288997FA5EFCA62530608FFE006C7362C972CC09CB61
                                                    Function 01242DA0 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5c3b72a59b6d8b1a29cd802428d5e05a579959d822ac0e07bfda7af33b039235
                                                    • Instruction ID: 2aa11d6ebcc1ee6b9c9710a5245fcda62b4f4b9e19238ab6c0eb99ef67e47b26
                                                    • Opcode Fuzzy Hash: 5c3b72a59b6d8b1a29cd802428d5e05a579959d822ac0e07bfda7af33b039235
                                                    • Instruction Fuzzy Hash: A6E0ED75E20118CF8B84EFBDD9056DE7BF5EF48310B1140A9E519E7351EBB09D018B91
                                                    Function 012466C8 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 45eeeb48f98da834b57d7ecfe62bb7de05936ee024efd0f114fd7500858cd92b
                                                    • Instruction ID: 9b1fb050052f9e7e8e71cd97257dd634a3033976855a5553f6183f1658340be8
                                                    • Opcode Fuzzy Hash: 45eeeb48f98da834b57d7ecfe62bb7de05936ee024efd0f114fd7500858cd92b
                                                    • Instruction Fuzzy Hash: 92D0172275A2A04FC70A267C64280DA7FAA8ECA15235805AAE185DB395C9944C0A9791
                                                    Function 01242008 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0f21684efd11e8b08c1864803b62e6c19fc6e47b97fb0416c9977a3d6fd16dd4
                                                    • Instruction ID: c8ce156ad18fae4d44205a1649c3c1bb65aa75a5048bcaf3591d31137b4893a5
                                                    • Opcode Fuzzy Hash: 0f21684efd11e8b08c1864803b62e6c19fc6e47b97fb0416c9977a3d6fd16dd4
                                                    • Instruction Fuzzy Hash: 7DD01735B402148FCB146ABEE41889A77EEEFC966234108AAF50AC7320DEB1DC1187A1
                                                    Function 01246469 Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5a96ee5a52ffdeb0adec1a6f573ff78a27705609facf92fcef1d1a555095e07f
                                                    • Instruction ID: 9d78d66a88d4220be0ea8595f8d41e65f53d6240aa3d7b364360df188b0cccdb
                                                    • Opcode Fuzzy Hash: 5a96ee5a52ffdeb0adec1a6f573ff78a27705609facf92fcef1d1a555095e07f
                                                    • Instruction Fuzzy Hash: 11E02E716593008FC30A9B28E0898147FBAEF8D310B1000F9F009CB376C924EC8ACB09
                                                    Function 01245631 Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d1f88b533fb68bcd3f602e4750965fc106c5e2197890273ae27d7d3bfc751df6
                                                    • Instruction ID: 1d07c1f3127b773786f2dcc3ad00489b516df832531dd6806d764a6e3541b150
                                                    • Opcode Fuzzy Hash: d1f88b533fb68bcd3f602e4750965fc106c5e2197890273ae27d7d3bfc751df6
                                                    • Instruction Fuzzy Hash: EDD0A7209453455FD7020B18AC5D0913F79DE5342035400C2DD4547113E927886BC641
                                                    Function 0124CFFE Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53b943404f35cf1a703d08d7ce6af32cdf7dced4153e17891dd3a7769280f363
                                                    • Instruction ID: 2f4609155ab80866c9359ca5e0e2e4bc80a26ce17aba104a058316e5b3a6b913
                                                    • Opcode Fuzzy Hash: 53b943404f35cf1a703d08d7ce6af32cdf7dced4153e17891dd3a7769280f363
                                                    • Instruction Fuzzy Hash: 3CD0A738535309C7FF298691B15E3787D555F90359F14C069B40A075C0CBF78086EE90
                                                    Function 01246478 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.3313043109.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_1240000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00ca7610185e5e422d02073098183cd7eaedb36f4a71f4dc2311fbd6c11716bc
                                                    • Instruction ID: cbd51b91ff0785dcea57add7a6026810bf44bdef0f5d31b37599634262734d53
                                                    • Opcode Fuzzy Hash: 00ca7610185e5e422d02073098183cd7eaedb36f4a71f4dc2311fbd6c11716bc
                                                    • Instruction Fuzzy Hash: 31C012357902048F8208EB6CE080C2673EAEF8C710B1000A9F609CB379CE20EC82CA18

                                                    Executed Functions

                                                    Function 00B54F58 Relevance: 11.9, Strings: 9, Instructions: 619COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq$(aq$(aq$(aq$(aq$(aq$(aq
                                                    • API String ID: 0-416939441
                                                    • Opcode ID: e07af63a1732882a1cff8c3946c0128caad06f077649c34b9e90fc8e62817151
                                                    • Instruction ID: 3054cc5b01495c20260127970f1b9338e20fb5c7c523cc34bf021723b4cc9867
                                                    • Opcode Fuzzy Hash: e07af63a1732882a1cff8c3946c0128caad06f077649c34b9e90fc8e62817151
                                                    • Instruction Fuzzy Hash: 5132A030B006058FDB15EF69D4646AEBBF2EF89312F2480A9E805E7395DB34DD46CB91
                                                    Function 00B53860 Relevance: 4.4, Strings: 3, Instructions: 691COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq
                                                    • API String ID: 0-2593664646
                                                    • Opcode ID: e81dec81203c9baf6241ee569baa5a69313b4f830f718c9abe464761c83837ea
                                                    • Instruction ID: 2d4e5ad9172e64eedf51e92c5276b83766eed4e301951bed0821c10b9f5ab75e
                                                    • Opcode Fuzzy Hash: e81dec81203c9baf6241ee569baa5a69313b4f830f718c9abe464761c83837ea
                                                    • Instruction Fuzzy Hash: 26427174B002049FDB09EB69D854AAE7BF7EF88740F148069E805A73A5DF34DD4ACB90
                                                    Function 00B53750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq
                                                    • API String ID: 0-2593664646
                                                    • Opcode ID: 8b14f6343863a97b66407b13a2822e5a57643292ba2fbf1fe42de35c969f24a5
                                                    • Instruction ID: 41e757c5d968a9974e0fc53b580d7f6edcab617bb9a2c5bf9749e49cb3ebc721
                                                    • Opcode Fuzzy Hash: 8b14f6343863a97b66407b13a2822e5a57643292ba2fbf1fe42de35c969f24a5
                                                    • Instruction Fuzzy Hash: 56216D21B082544FD31A677D181017E3BE7DBD632172881BEEC0AD73C2DE288D0B8392
                                                    Function 00B51049 Relevance: 2.1, Strings: 1, Instructions: 843COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: -v
                                                    • API String ID: 0-1581256980
                                                    • Opcode ID: 350bf7ea4ec3ffb15172d6d714693823730f4983e532645a59580f7ef7da469b
                                                    • Instruction ID: 1c231f8ca331bc9ca0187bc3d3d2d2eea2477daad7bd95f4cc3b00571dbeaa14
                                                    • Opcode Fuzzy Hash: 350bf7ea4ec3ffb15172d6d714693823730f4983e532645a59580f7ef7da469b
                                                    • Instruction Fuzzy Hash: D182E4BC640209DFDB0AEBA5E654F6E7B7AEF84304F104414E8012377DCB39695AEB25
                                                    Function 00B51058 Relevance: 2.1, Strings: 1, Instructions: 835COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: -v
                                                    • API String ID: 0-1581256980
                                                    • Opcode ID: cae0be009fa8a9f19e6ab891d29eeb4dfda035cbe9798dcb07ee7f4a339e2b69
                                                    • Instruction ID: f8a1315941ca1d238e06dedd153988f70df1463d945f310f31d7273b28b025bf
                                                    • Opcode Fuzzy Hash: cae0be009fa8a9f19e6ab891d29eeb4dfda035cbe9798dcb07ee7f4a339e2b69
                                                    • Instruction Fuzzy Hash: E182E4BC640209DFDB0AEBA5E654F6E7B7AEF84304F104414E8012377DCB39695AEB25
                                                    Function 00B5BEAF Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q
                                                    • API String ID: 0-52440209
                                                    • Opcode ID: 4c6b3fb39a10a240f7d98eea4a50bee6756128d7edbbfef3cac81d1a1e4b6888
                                                    • Instruction ID: b599269b3d547768501a322f38e1e5b5f336d9b6601813e287378fd97a72e287
                                                    • Opcode Fuzzy Hash: 4c6b3fb39a10a240f7d98eea4a50bee6756128d7edbbfef3cac81d1a1e4b6888
                                                    • Instruction Fuzzy Hash: C0418E347001048FC754DF3DC899E6EBBE6BF89710B2580A9E906DB3B2DA70DD068B81
                                                    Function 00B5BEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q
                                                    • API String ID: 0-52440209
                                                    • Opcode ID: 0a3970a6b5020f502e6ab52b8e84e11f0b69335268deb05d21adf48044a290ab
                                                    • Instruction ID: d8166286344c448421080b9d15841785b84dbcc553810c18ddc455d684d63fd6
                                                    • Opcode Fuzzy Hash: 0a3970a6b5020f502e6ab52b8e84e11f0b69335268deb05d21adf48044a290ab
                                                    • Instruction Fuzzy Hash: 24416F347005048FC754DF7EC499A6EBBE6FF89710B2584A9E506DB3B1CA71DD058B81
                                                    Function 00B52B10 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: 75427d9fbe372495daefb2f4590c621d9a4caa6fa2b0afd4600333fe8dc3633d
                                                    • Instruction ID: 94dade7ab74b7d8c3fe1b2a3bbf5b9d068a5077c08a7662bc05bcbb4f9526f83
                                                    • Opcode Fuzzy Hash: 75427d9fbe372495daefb2f4590c621d9a4caa6fa2b0afd4600333fe8dc3633d
                                                    • Instruction Fuzzy Hash: 963118347102058FDB09EB39D454A6E33B2EFC9A1972081ACD10A8B3A4DF39DC079B96
                                                    Function 00B52B20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: 5974bbd7a88c42f20d5dddeb54a644d06217448ffdca4f4750e25d13fa9cea6b
                                                    • Instruction ID: 0480c809336fd983c8bc2a3e69670bf841f294c895ad9d367cc201caba621cb7
                                                    • Opcode Fuzzy Hash: 5974bbd7a88c42f20d5dddeb54a644d06217448ffdca4f4750e25d13fa9cea6b
                                                    • Instruction Fuzzy Hash: B131F8347102158FDB19EB39D454A6E33B2EFC9A19720817CD10A8B3A4DF39DC479B96
                                                    Function 00B54248 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq
                                                    • API String ID: 0-600464949
                                                    • Opcode ID: 4c6960882d10b6778c541d6a92dd85d4dcbc212c2d0f87ac79ee8480935e6f39
                                                    • Instruction ID: 255271c880e757fc4efbaa06cf752b74707de3492c0cc059f87001d6160c79e9
                                                    • Opcode Fuzzy Hash: 4c6960882d10b6778c541d6a92dd85d4dcbc212c2d0f87ac79ee8480935e6f39
                                                    • Instruction Fuzzy Hash: 680168327082500FD30AA77D681067E3B97DFC261174884EED8458B386CE69DD4AC3D1
                                                    Function 00B5B0B0 Relevance: .7, Instructions: 680COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: baa2a333aa54fbf66e85a41c585aeae22cdec6ed7b7e531414089f7e07e82c60
                                                    • Instruction ID: 54c74161b783b8ff093809022a3bb44ea7a9efebcc7e3ebf41c28e0ca1a64609
                                                    • Opcode Fuzzy Hash: baa2a333aa54fbf66e85a41c585aeae22cdec6ed7b7e531414089f7e07e82c60
                                                    • Instruction Fuzzy Hash: 97523938A01600CFC719EF24D458E697BF2FF8830AB6585A8D8169B2B5DB75DC4ADF40
                                                    Function 00B5AF90 Relevance: .2, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a4a78cc6128a483bb2ce639c9cb7dd6acc33fdf03b0eea614625d2380b9de6c2
                                                    • Instruction ID: edd984a37410b8b84681483d9db2e3e2df964cd904b2d215c56ab0e9a34b7f42
                                                    • Opcode Fuzzy Hash: a4a78cc6128a483bb2ce639c9cb7dd6acc33fdf03b0eea614625d2380b9de6c2
                                                    • Instruction Fuzzy Hash: 8F6101719093804FD70ADB38D961AD9BFB5EF92314F0881EBC5508B1B7EB64580EC7A2
                                                    Function 00B5C060 Relevance: .2, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a45624d25cb08c15a3b9ba0396fe50e14ca0f33dc5805955b44bb47d49340593
                                                    • Instruction ID: b97d9cae86f0768245d3356e7e7c75904794b6e502eeb9978057d5bdc7a7c50a
                                                    • Opcode Fuzzy Hash: a45624d25cb08c15a3b9ba0396fe50e14ca0f33dc5805955b44bb47d49340593
                                                    • Instruction Fuzzy Hash: 497139355007049BD359DF35D95098BFBA6EF80304314CA7E958A9BAA5EF72F90ACBC0
                                                    Function 00B5C070 Relevance: .2, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d355c934783170c1c33bc62322a2e37ab6b55c103f46ae911e11f7268efffd7b
                                                    • Instruction ID: 752dde6821d34e2f5a6642c43750931bbc4f274f11accc4afb38714744831154
                                                    • Opcode Fuzzy Hash: d355c934783170c1c33bc62322a2e37ab6b55c103f46ae911e11f7268efffd7b
                                                    • Instruction Fuzzy Hash: B37129311007049BC359DF35D950A8BFBA6EF84304314CA7E958A9BA65EF72F90ACBC0
                                                    Function 00B5BB99 Relevance: .2, Instructions: 173COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0fe3a07f8f12905f99ac2315b0cc0160c96dfcd962f6aeefde657096255d7f6a
                                                    • Instruction ID: 9a70ff3130224d40696e8376e35a0905d556c3cd60935ce51bea5a3997dcc128
                                                    • Opcode Fuzzy Hash: 0fe3a07f8f12905f99ac2315b0cc0160c96dfcd962f6aeefde657096255d7f6a
                                                    • Instruction Fuzzy Hash: 3B81C278601205CFC71AFB14E689E99BBF2FB85309B25C5A8D5158B239C770E85EEF40
                                                    Function 00B5385A Relevance: .2, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 080738b348dc7ed4ad1eb3b8ebc6fb99a8645ae81f80585cb596e3680d3a37af
                                                    • Instruction ID: 792c0106920c61de14e8ee187f06af25f3caa51e5dd3024b4e700ef73ccac908
                                                    • Opcode Fuzzy Hash: 080738b348dc7ed4ad1eb3b8ebc6fb99a8645ae81f80585cb596e3680d3a37af
                                                    • Instruction Fuzzy Hash: 80614E74A01218AFDB05DFA9E994AAEBBF6FF88710F104069E805A7364DB34AD05DB50
                                                    Function 00B55AA0 Relevance: .1, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 814cf94f61465224351e820d1d5a0657ff81a56934ce38c91dc65049d2ff6ae0
                                                    • Instruction ID: d6d770569f151d3e1a1a2b2f65bd4c2d4d3323ec41056eb757db7604ba896829
                                                    • Opcode Fuzzy Hash: 814cf94f61465224351e820d1d5a0657ff81a56934ce38c91dc65049d2ff6ae0
                                                    • Instruction Fuzzy Hash: 60513E74B006058FCB14DF69D594E6EBBF5EF88315B1141A8E909DB365DB30EC05CBA0
                                                    Function 00B5C798 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29737793878681958ccae2ca393af692e9cf8a6669c5863c7daa85d64e293a97
                                                    • Instruction ID: e131b0d6ff74d4fc2c7526a55a1b653e2f52662cb9ba4c4b858dfba5e5c33510
                                                    • Opcode Fuzzy Hash: 29737793878681958ccae2ca393af692e9cf8a6669c5863c7daa85d64e293a97
                                                    • Instruction Fuzzy Hash: 555106315007049FD319EF35D94194ABBE6EF85304310CA6ED58A9B665EB36F90ACFC0
                                                    Function 00B55240 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9cb3473abe614a83a788a72b6c6b03c875c48d7602a9421e6da38030bb33a3dc
                                                    • Instruction ID: 13d74ec5a188228764f264848370a3ad291f7746de8b1df117e80f1c130ba696
                                                    • Opcode Fuzzy Hash: 9cb3473abe614a83a788a72b6c6b03c875c48d7602a9421e6da38030bb33a3dc
                                                    • Instruction Fuzzy Hash: 3A510D34A016189FDB28DF65D494BADB7F2EF88316F1481A9E805A7364DB349C49CB90
                                                    Function 00B5C981 Relevance: .1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1f86b5ec6704ba2cac996e74cbb2890ecb55ddaae02829ae4d0adfee1705f6a3
                                                    • Instruction ID: a0829c1a098acc95ab1554d3b92db55f6d6fe342a4c65b45b3a1ee5a7d09ffac
                                                    • Opcode Fuzzy Hash: 1f86b5ec6704ba2cac996e74cbb2890ecb55ddaae02829ae4d0adfee1705f6a3
                                                    • Instruction Fuzzy Hash: 31419C726003009FC326DF74D94169ABFE6EE85315710CAADC58A9B661EA35F90BCBC1
                                                    Function 00B52850 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d92e90753537e12da44be2daa9c95b6886ec322e6714781944625995721c91d3
                                                    • Instruction ID: 6503ada7703da2216ac8339b852747f5c82c4cfa347656fcc88f53eff8f77696
                                                    • Opcode Fuzzy Hash: d92e90753537e12da44be2daa9c95b6886ec322e6714781944625995721c91d3
                                                    • Instruction Fuzzy Hash: 1541F874A00208CFDB18EFA9D984AADBBF6FF89305F204579D901A7264DB34AD49DF50
                                                    Function 00B55A91 Relevance: .1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 624d3f62be9e93a348c5284414a7de0a44219b42655050ce8a90abf9ba39ed15
                                                    • Instruction ID: 00a5964a1e83bc286bb5b094ad0ecd3ff2ca0a1ca4a4e4a3cb3e6aae21b328a9
                                                    • Opcode Fuzzy Hash: 624d3f62be9e93a348c5284414a7de0a44219b42655050ce8a90abf9ba39ed15
                                                    • Instruction Fuzzy Hash: 50315E75B006068FC704DF69D994E6ABBF5EF88315B1181A9E509DB372DB30ED06CB50
                                                    Function 00B52842 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e448b35cd143b48cfd6a61853550237d0eec3882e79cae5a2065436fcf0fa651
                                                    • Instruction ID: 3e7d163a285f105fea6ffd2427c5112b950d34cdb269b55fe3493e9e46a0cfd9
                                                    • Opcode Fuzzy Hash: e448b35cd143b48cfd6a61853550237d0eec3882e79cae5a2065436fcf0fa651
                                                    • Instruction Fuzzy Hash: 2E311D74E002099FDB18EFA8D984AEDBBF6FF89305F104579D901A7264EB34994ACB50
                                                    Function 00B5C353 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 72e32fb906524fb735c902df613b0739218728b3e691f98562183ff8c891c270
                                                    • Instruction ID: ab9fa11b6a86eafd1e82db08c4aa1e7b9511481c1cef15db54a5e77f1ee5c421
                                                    • Opcode Fuzzy Hash: 72e32fb906524fb735c902df613b0739218728b3e691f98562183ff8c891c270
                                                    • Instruction Fuzzy Hash: B531E9725053404FD316DB38D96059ABFA1FE9130534489FEC586CF696EA25F80BC781
                                                    Function 00B55308 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a52081132ab5017dd8ad312cc771d0b1597dcf2fb853378e72a52ddf22254cb
                                                    • Instruction ID: 75f02c8d11ce01fa8517fe54bf89a6970b4180288f9c7f9485d53a5989472d5e
                                                    • Opcode Fuzzy Hash: 2a52081132ab5017dd8ad312cc771d0b1597dcf2fb853378e72a52ddf22254cb
                                                    • Instruction Fuzzy Hash: A3411034A01514DFCB08EFA4E494AADB7F2FF88316F2080A9E805A7364DB349D46DF90
                                                    Function 00B52C48 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 94f2ac1877b92dfbac4cd37556b1d86b61ca715cc1fa27e95ce75bd6ea169bb4
                                                    • Instruction ID: 7ef31dc817f5455bbdce01fcfd8b8c7ccf4b26c0b5c4c005643d01b8b8689e8b
                                                    • Opcode Fuzzy Hash: 94f2ac1877b92dfbac4cd37556b1d86b61ca715cc1fa27e95ce75bd6ea169bb4
                                                    • Instruction Fuzzy Hash: 21413B78900209CFDB08EFA8D585AEE7BB5FF48318F104169D911A7368DB349D4ADF90
                                                    Function 00B5B0A0 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4adfed27984f30066fcec158a61ed4a9279d11904f1406a1a497afb266773ceb
                                                    • Instruction ID: 2c87070ecaacd8cf049cdc12f2ef3835169051f86b228f6e2c858d302e7e271e
                                                    • Opcode Fuzzy Hash: 4adfed27984f30066fcec158a61ed4a9279d11904f1406a1a497afb266773ceb
                                                    • Instruction Fuzzy Hash: 57312830A102048FDB19EB78D854AADB7B6FF84304F10856CD416AB3A5DF749D0ECB81
                                                    Function 00B54B5E Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 68856fa6be4e1cc75cafe9cfffc7fae7dcb9ce1a46e3653961cb5aba8ae2adad
                                                    • Instruction ID: 1f26fd4c8dfbcdbef3e900c97d66dd5dfe3858a43aa7e602d981b9e3c1abc45f
                                                    • Opcode Fuzzy Hash: 68856fa6be4e1cc75cafe9cfffc7fae7dcb9ce1a46e3653961cb5aba8ae2adad
                                                    • Instruction Fuzzy Hash: DB21D8302043055FD709EB39E880E5DBBAAEFC0344B048A79D4098B669DB75ED4EC795
                                                    Function 00B52C58 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a94c01a354db6560c8eceb2f7e7032ebc215fbc2df68c8195ce9919431fa9ae2
                                                    • Instruction ID: 8aab0524f7d4aea8fa8c2f61b990e305c9e9a3a1e9a08ae890942e06c8b34d99
                                                    • Opcode Fuzzy Hash: a94c01a354db6560c8eceb2f7e7032ebc215fbc2df68c8195ce9919431fa9ae2
                                                    • Instruction Fuzzy Hash: C8311C78900209CFDB08EFA8D585AEE7BB5FF48318F104169D911A7368DB34AD4ADF90
                                                    Function 00B5C313 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b7fb0a98ca0374d3717ce6742ee67b2852a598ccaa4f06afdb17502ee877b3a7
                                                    • Instruction ID: 1d1040a1d37c1fe624e23c53ba245b25938ad90eb464a17f24d6bb3c56b5c56a
                                                    • Opcode Fuzzy Hash: b7fb0a98ca0374d3717ce6742ee67b2852a598ccaa4f06afdb17502ee877b3a7
                                                    • Instruction Fuzzy Hash: 0D214B326017049FC355DF74DA5069BBBE6FF843143148AAEC54A8BA55EA36F90ACBC0
                                                    Function 00B55698 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 277a803af3e4a3fdaf8772a7fe9dace99429d9926875075f2404f86151ad7956
                                                    • Instruction ID: d0ec4f10af3c4db8d9700e168f1537c4566cf7196f8723d68189fc7b34d9883f
                                                    • Opcode Fuzzy Hash: 277a803af3e4a3fdaf8772a7fe9dace99429d9926875075f2404f86151ad7956
                                                    • Instruction Fuzzy Hash: 75218B70B016048FC714DF29D5A8A6EBBF6AF88702F2440A9E806E73A0DF71ED05CB50
                                                    Function 00B5288D Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 91bb1b0a36f4534df31588f583a8f0e205fc0b41da5dc0638cdc95997b7fd6ba
                                                    • Instruction ID: 6535ee6d1203016c814a5ec0479f09f4ffbfcf15ae699512252e978be864ab82
                                                    • Opcode Fuzzy Hash: 91bb1b0a36f4534df31588f583a8f0e205fc0b41da5dc0638cdc95997b7fd6ba
                                                    • Instruction Fuzzy Hash: 98310D74A05208CFDB18EFA8E984AADBBF6FF89305F145179D801A7264DB349C49DB10
                                                    Function 00B5CEC0 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 15dc5ab71d56a57d15cd35208c6f59442e0787062f95d0ba9bf71ae0d4b7198a
                                                    • Instruction ID: 1eb92121cd0cd3e24ee76ea446e5a49a7190f784f557675c0870d58f045703c5
                                                    • Opcode Fuzzy Hash: 15dc5ab71d56a57d15cd35208c6f59442e0787062f95d0ba9bf71ae0d4b7198a
                                                    • Instruction Fuzzy Hash: 6E213774C013089FDB24DFA8D98879DBFF6EB49314F2480AAE809A7240CB79584ADF51
                                                    Function 00B54B80 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ecfa17efaac9aa37f541c43d33bbe5344d3a453c26d13103779de85252e2907e
                                                    • Instruction ID: eb72c9b30f70e981a3bd2a6a3024fafd7a9bddd81c977be1dfb901e8c41c8291
                                                    • Opcode Fuzzy Hash: ecfa17efaac9aa37f541c43d33bbe5344d3a453c26d13103779de85252e2907e
                                                    • Instruction Fuzzy Hash: C2218E302003055FD709EB39E880E6EB7AAEFC4354B008A38D4098B669DB75ED4D8BA0
                                                    Function 00B5CED0 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f262afc60acd367be15fea95c057a78c17ba281e92a445bbb224ae660a08b2ea
                                                    • Instruction ID: 089a4cc52d36c292e6e4073c67ff4893b78f97cd53bfb2dc34a0cd7456ffb471
                                                    • Opcode Fuzzy Hash: f262afc60acd367be15fea95c057a78c17ba281e92a445bbb224ae660a08b2ea
                                                    • Instruction Fuzzy Hash: 05211670D00308DFDB25DFA9D588B9EBBF6EB48314F24809AE809A7340C7799849CF90
                                                    Function 00B55C42 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1766eb6008a2a9ca3f7bf4aad67764ca905f87d8f552819c8258089ef5bfb8a3
                                                    • Instruction ID: bf2e879383da1985788d67fac85b4e630f57e8bd4b9583cb1bcc204c5ba0b9d2
                                                    • Opcode Fuzzy Hash: 1766eb6008a2a9ca3f7bf4aad67764ca905f87d8f552819c8258089ef5bfb8a3
                                                    • Instruction Fuzzy Hash: 8F217C31A042888FCB15CBA8C5A4BEDBFF1EF49311F1500EAD445AB2A2D7355D49CB60
                                                    Function 00B52908 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be4b33af5e1de7f75afbd4dbed467e73a2edf54e0caa4c89c7dc22d1041c80d7
                                                    • Instruction ID: e70625483786b2b71390d2f26ca3751152376a460789d030be2e3e76f90b151d
                                                    • Opcode Fuzzy Hash: be4b33af5e1de7f75afbd4dbed467e73a2edf54e0caa4c89c7dc22d1041c80d7
                                                    • Instruction Fuzzy Hash: 3B21EA74E002089FDB18EFA9D980AADBBF6FF89305F108179D81567268DB349809DF51
                                                    Function 00B55C68 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8ae078a21bc930c4d4137741138fa2e25a74f0428141022be20ea063185bb894
                                                    • Instruction ID: 82748212b939bac63cd64588f0c0d788fc863bf32c48d5681848ede11abc80ea
                                                    • Opcode Fuzzy Hash: 8ae078a21bc930c4d4137741138fa2e25a74f0428141022be20ea063185bb894
                                                    • Instruction Fuzzy Hash: BF21F735A002198FDB14DBA9D598BDDBBF5EF4C311F2000A5D905BB2A0DB75AD44CBA0
                                                    Function 00B56888 Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3187db938dabd222d417dbdea5d2dfdf1a8e8330c26444c649dc0b4639c61665
                                                    • Instruction ID: d9ca4c3a16c823f540f51beaf009b9d1b5de6f03a87e6c27abbc32a2d585c28b
                                                    • Opcode Fuzzy Hash: 3187db938dabd222d417dbdea5d2dfdf1a8e8330c26444c649dc0b4639c61665
                                                    • Instruction Fuzzy Hash: E1217271A00205CFDB10DFA4C9487EDBBF1EF88306F5484EAD845A7152DB758E49DB51
                                                    Function 00B5296A Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6523f755b4fe81b7a4b4f6e2f7de1fb32b0e093eee57f99c051625ba54395af2
                                                    • Instruction ID: f1588de676399639723bd2a4ffa959088acdf13571d99388f16434b71ed42ed8
                                                    • Opcode Fuzzy Hash: 6523f755b4fe81b7a4b4f6e2f7de1fb32b0e093eee57f99c051625ba54395af2
                                                    • Instruction Fuzzy Hash: A521C974A01208DFDB18EFA8D980A9CBBF6FF89305F204169D905A7364DB34AD49DF50
                                                    Function 00B5C000 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1ccad52fc1882c01f726883965f6b6ba306ce302ec797de85f96bfca96f36dbd
                                                    • Instruction ID: 1d7db1497d23814c8c06a737582b20c62c1ebe50fc23669abebb577a28b06cca
                                                    • Opcode Fuzzy Hash: 1ccad52fc1882c01f726883965f6b6ba306ce302ec797de85f96bfca96f36dbd
                                                    • Instruction Fuzzy Hash: C6116D343406058FCB19DF28F984E9ABBF5FF85719B1081A9E5058B675CB71ED0ACB80
                                                    Function 00B532E0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e647eb8c8382edb1f01a76548d6e8254e47d0355fc5db8b288dd409e1ae4e41a
                                                    • Instruction ID: 63a0e5204d737e17d7e2e658d5d1281a07ea7f8a899f950124d5deb8694f3fa7
                                                    • Opcode Fuzzy Hash: e647eb8c8382edb1f01a76548d6e8254e47d0355fc5db8b288dd409e1ae4e41a
                                                    • Instruction Fuzzy Hash: 8D110C74A042449BDB08FFB8E859BAE7FF2EB88305F404478D90697291DB3D5C0A9B60
                                                    Function 00B55940 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cb12c695fe645cdc974a93cd4ef037bda1982cf8a70bc503256fe11e3dc2cb47
                                                    • Instruction ID: 648632bb6d37d573cd999ad7682c0bc7b817134a5daf120fdb77b6f81af10471
                                                    • Opcode Fuzzy Hash: cb12c695fe645cdc974a93cd4ef037bda1982cf8a70bc503256fe11e3dc2cb47
                                                    • Instruction Fuzzy Hash: 000144763002108F8704EB7DE494D5EB7E6EBC9666310857EEA06D7350CE35DC0687A0
                                                    Function 00B52A80 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29c8335ddbb956a3e383b2da52d8a93a555f6d38a4ab0e30bf0c1d023df58aad
                                                    • Instruction ID: 72df8e5706ae045e001b6b268f395ebf1e0bd82f79e4e6ace87eafe3003a077e
                                                    • Opcode Fuzzy Hash: 29c8335ddbb956a3e383b2da52d8a93a555f6d38a4ab0e30bf0c1d023df58aad
                                                    • Instruction Fuzzy Hash: E401BC352107004FC312EF38D44595ABBE5EF85314311C9AAE68ACF325EB31ED098BC2
                                                    Function 00B532F0 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cf9239b8337063962fda914bdcaa43c4512906962cd9416bed17f37a406f196e
                                                    • Instruction ID: f2e7690339198a328a8b51ab5ada6e236b274f2cd9a9ffdae9be0db7509c16ed
                                                    • Opcode Fuzzy Hash: cf9239b8337063962fda914bdcaa43c4512906962cd9416bed17f37a406f196e
                                                    • Instruction Fuzzy Hash: B901DB34A141449BDB08EFB8E459BAE7FF2EB89305F404478D90297291DB395C09DB60
                                                    Function 00B541D0 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 43a59b86c22cb638353c780c4e4e75c442ef037e6b0ca5b9841f4d89008b324c
                                                    • Instruction ID: 7e4ef2da423ff0bc4eb3d90a3d8e89646e12c261baf0c21bddcdb992286231c4
                                                    • Opcode Fuzzy Hash: 43a59b86c22cb638353c780c4e4e75c442ef037e6b0ca5b9841f4d89008b324c
                                                    • Instruction Fuzzy Hash: 64F059716083042FD309A37AB89156E6BEAEBC5150714442DE409E7342CE259E0B8365
                                                    Function 00B54237 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 80151dbab39c491e4de429bfd17644c17a9205ae2853172a463e9266c64d43c0
                                                    • Instruction ID: 18f0d9f0d96ce3ef90cac0ba378c8c0dcc6bc0122aa6e0d42e6ba8135f4aaf6c
                                                    • Opcode Fuzzy Hash: 80151dbab39c491e4de429bfd17644c17a9205ae2853172a463e9266c64d43c0
                                                    • Instruction Fuzzy Hash: 15F05C722042001FC3099B3DB851ABE7B67EFC0710B04847DE8844BA45DF359E8B87C1
                                                    Function 00B52A90 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 82898f105c694700dccb19362f84c99e1fdd8dcc86114076834c551fbbc6b39c
                                                    • Instruction ID: 329cdfc577ac0b6534e5486d07ec555e47b5e19ff5b390aa5f4dc76ace68bd50
                                                    • Opcode Fuzzy Hash: 82898f105c694700dccb19362f84c99e1fdd8dcc86114076834c551fbbc6b39c
                                                    • Instruction Fuzzy Hash: 3CF046316107048FC715EB39D44595BBBE6EF85714710C9AAE68ADB325EB31EC088BC2
                                                    Function 00B5593E Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c80a55aa4202abe7787ecb43ca7ba2d3a3552efae5ba7f2bb76a1a7305eaf78
                                                    • Instruction ID: fbe1d6f29dbbcab23a369fd3f7cd3cedce2fd92a64f2be458b88c7b3c1be3546
                                                    • Opcode Fuzzy Hash: 9c80a55aa4202abe7787ecb43ca7ba2d3a3552efae5ba7f2bb76a1a7305eaf78
                                                    • Instruction Fuzzy Hash: 82F089753002108F8304EF39E494D59BBF6EBC9665310817DE909C7350DB35DC06C7A0
                                                    Function 00B56388 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3da645a63cca56d31a72ad359201028ce0e3c316825a99404a877ccf936ee056
                                                    • Instruction ID: 06795f4021d3750ae2b7d92b44fac6e883bcf772f052924929159a04ae239a83
                                                    • Opcode Fuzzy Hash: 3da645a63cca56d31a72ad359201028ce0e3c316825a99404a877ccf936ee056
                                                    • Instruction Fuzzy Hash: F6F06234909348AFCB41EFB8A45569CBFF1DF86205F1085EDD848A7292EA305E4ADB42
                                                    Function 00B541E0 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f4dae2a51b4db8e92212aa8d3aa777592fe9cf1910aae6b2820272def5edacf
                                                    • Instruction ID: 31ec5320bf285ca335c517f725980eec36caf05c773c0bea1bb3225fa5df3551
                                                    • Opcode Fuzzy Hash: 7f4dae2a51b4db8e92212aa8d3aa777592fe9cf1910aae6b2820272def5edacf
                                                    • Instruction Fuzzy Hash: 01E0E5317043082FA708B6BAB851A7FB7DEEBC92A1754483DF409E7340CE21AD0943B5
                                                    Function 00B52D92 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 251e42a33b67a91207d99216920d6cc3f4b5574db38ad3958ab067cb902fd183
                                                    • Instruction ID: 1a6225bab507ce6cd3dc976dcb40f7cfa24d918dee22f20fe590a3b4cb988d8c
                                                    • Opcode Fuzzy Hash: 251e42a33b67a91207d99216920d6cc3f4b5574db38ad3958ab067cb902fd183
                                                    • Instruction Fuzzy Hash: E8F05EB1E200158FC744FFACD8452ED7BF0EF48311B1180A9D509E7251DA718A168B91
                                                    Function 00B56398 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6ffa8bfc995e548c570219cc88928a6f478c532b90ee1c58889112841063f437
                                                    • Instruction ID: 96fdf9cb9e031210efba307c427f7b8241263de68a6e122c21152d481f80a00e
                                                    • Opcode Fuzzy Hash: 6ffa8bfc995e548c570219cc88928a6f478c532b90ee1c58889112841063f437
                                                    • Instruction Fuzzy Hash: CCF08234A0030CEF9B04EFB8E545A9DBBF5EF84205F1042A89808A7381EB306F09DB51
                                                    Function 00B5CFE0 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 177c99acc47b7601ac1c3527629565cacf86ea90ff40ec8a80b7f96853ad7cc3
                                                    • Instruction ID: 93136939d923f6f7ca6845aefd75e974f0f42905940385690413407dce251a73
                                                    • Opcode Fuzzy Hash: 177c99acc47b7601ac1c3527629565cacf86ea90ff40ec8a80b7f96853ad7cc3
                                                    • Instruction Fuzzy Hash: 4EE09B2590A3405FEB31069169153603FA5DB5131AF1D80EADC4947AD2D7AD4C8FEB51
                                                    Function 00B51FF8 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a55455e49a498a143ad617444cc290c730130f454af46e88600b9ca0594a37bd
                                                    • Instruction ID: 800bf1b522e517b6f27414b595ef17076d669d758915e05c8aad69e287e8333e
                                                    • Opcode Fuzzy Hash: a55455e49a498a143ad617444cc290c730130f454af46e88600b9ca0594a37bd
                                                    • Instruction Fuzzy Hash: 88E0DFB67052408FCB149BBDD4A888E3BE6EF8A21530200EAF146CB322CD34DC1B8761
                                                    Function 00B52DA0 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5a648d6a738be7515b44c631d7cf76c3a6600d3887e36c556f0c75e5da6ad2b2
                                                    • Instruction ID: c517385516e23d45ffd6ad97db9ddc4150504d8b9b5979936c4ccb9282a211c7
                                                    • Opcode Fuzzy Hash: 5a648d6a738be7515b44c631d7cf76c3a6600d3887e36c556f0c75e5da6ad2b2
                                                    • Instruction Fuzzy Hash: 80E06D71E201188F8B84EFBDD8056DE7BF4EF48311B2180B9D509E3311EB709E008B91
                                                    Function 00B5374E Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 327d26bac7bb579683a3228c1c1de6e5724f9c17063c230a5143113863ee6847
                                                    • Instruction ID: 9a43be6eae18dfcb4265b1be3d1882def19401ee66993f2668291d5006fa44e3
                                                    • Opcode Fuzzy Hash: 327d26bac7bb579683a3228c1c1de6e5724f9c17063c230a5143113863ee6847
                                                    • Instruction Fuzzy Hash: 10E0C276B051105783295726A404A7E77E7DBCDAB27188066DE0DC3314FF248D0BA3D2
                                                    Function 00B52008 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 22bed9917b2a1fc46b10b25a172f2016a3ea952827d1b832099ba4cdb1e80e65
                                                    • Instruction ID: f1b226beb89c5f1bb1d0bfff98868cb9874bc689aaa95b4b82a75fbce6e48e1c
                                                    • Opcode Fuzzy Hash: 22bed9917b2a1fc46b10b25a172f2016a3ea952827d1b832099ba4cdb1e80e65
                                                    • Instruction Fuzzy Hash: 41D017357002148FCB14AABEE41885A7BEEEFC966634104BAE50AC7320DE75DC0187A1
                                                    Function 00B56469 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f816fbdebf2536019f79e992e3bebf3926098a6bacda981533a5b084c6fd4e7e
                                                    • Instruction ID: 4610a27f6f8e0a1ed5cc3b15310d1bc587f7c6abfd4d2588246a90462c6b12be
                                                    • Opcode Fuzzy Hash: f816fbdebf2536019f79e992e3bebf3926098a6bacda981533a5b084c6fd4e7e
                                                    • Instruction Fuzzy Hash: 4ED05EB96493404FC709AB28D1958247FF6EF8D21471200F9E549CB376DA29DD47CB15
                                                    Function 00B566D2 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac7febc19a5ad3888776d0deb2ae8a9142f17d725e389a5324d0b74a06036130
                                                    • Instruction ID: 80fb5cadf47d2573a03757b9c5c1db1895c06d3806c36c4884082874c162f33d
                                                    • Opcode Fuzzy Hash: ac7febc19a5ad3888776d0deb2ae8a9142f17d725e389a5324d0b74a06036130
                                                    • Instruction Fuzzy Hash: 73C08C3231A260576A06327C30751FDABCACAC95A235941BFFB05E3345CC548D030382
                                                    Function 00B5CAA0 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 499739443d0494f76b318eeeec082ba8c890e7ce384887f7ace35f5ebc805d03
                                                    • Instruction ID: 4b73f09ba877e08e9cc48076b7196c4539b2879e72d5c0d9d6662b66ff6ed8d7
                                                    • Opcode Fuzzy Hash: 499739443d0494f76b318eeeec082ba8c890e7ce384887f7ace35f5ebc805d03
                                                    • Instruction Fuzzy Hash: C8C09B87D55984CFF71604702DD51C07770F4512167D641A2CC4188913740C59475725
                                                    Function 00B56478 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 573a9e0d43dc2acf66cfec589be0913af452275c43d5406dff0576e60ebc5cbd
                                                    • Instruction ID: f0f225f6494c240fd98b81e29c8d7a0917369aae5389498b5d51009d6f4bf456
                                                    • Opcode Fuzzy Hash: 573a9e0d43dc2acf66cfec589be0913af452275c43d5406dff0576e60ebc5cbd
                                                    • Instruction Fuzzy Hash: FAC0C9387842044F8208EA5CD040C1573EAAB8C61471000A8E50987339CA20EC42C658
                                                    Function 00B55640 Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3312809237.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_b50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 21a03ef851624c265e48bee050ea629d6a5489d5f537dbad85ad3b7bf2971fa6
                                                    • Instruction ID: 1db67a30c5302d631332160ed4027b5c07d51f2f7dc779ce38aeef754f950670
                                                    • Opcode Fuzzy Hash: 21a03ef851624c265e48bee050ea629d6a5489d5f537dbad85ad3b7bf2971fa6
                                                    • Instruction Fuzzy Hash: 1DB02B3010420957C6100919AC085113B1DEB4111638001E9EC0800100AD23CC140080

                                                    Executed Functions

                                                    Function 028B4F58 Relevance: 11.9, Strings: 9, Instructions: 607COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq$(aq$(aq$(aq$(aq$(aq$(aq
                                                    • API String ID: 0-416939441
                                                    • Opcode ID: 5bb38fb7777e6d743047d5898b1f40c6838eab3c6202240d90c14fb5366a6f23
                                                    • Instruction ID: c03e3db7e539a654d835bb61cc83678bd313f7ed0e8a187abd6efec4e0f0cc44
                                                    • Opcode Fuzzy Hash: 5bb38fb7777e6d743047d5898b1f40c6838eab3c6202240d90c14fb5366a6f23
                                                    • Instruction Fuzzy Hash: E4327E38B002158FCB06DF69D4546EEBBF2AF89311F548069D809EB3A5DF389D46CB91
                                                    Function 028B3750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq
                                                    • API String ID: 0-2593664646
                                                    • Opcode ID: d30c2399332946c36c4418999394f66453182a486404013b70929f9095200041
                                                    • Instruction ID: 6fb9b926a45039a48fc2b45cb45b10b01f85498010357cdb64b08c046601415f
                                                    • Opcode Fuzzy Hash: d30c2399332946c36c4418999394f66453182a486404013b70929f9095200041
                                                    • Instruction Fuzzy Hash: A2214B25B081900FC74B6B7918241BF7FB79FC622075885AEE90AC77D7DE288D078392
                                                    Function 028B3BE0 Relevance: 3.0, Strings: 2, Instructions: 465COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq
                                                    • API String ID: 0-3916115647
                                                    • Opcode ID: 6f42150e9411227348cc5e09cae2c22655ed56833ed25859ba725a79457e8aff
                                                    • Instruction ID: 0d48193cf858e3e2d70407f62eb3706c68be9b151549ad18d344fd7beb67fffc
                                                    • Opcode Fuzzy Hash: 6f42150e9411227348cc5e09cae2c22655ed56833ed25859ba725a79457e8aff
                                                    • Instruction Fuzzy Hash: EAF14F34B002059FCB4AAB79D8546AEBBBBEFC9300F148469E905D73A9DF349C06CB55
                                                    Function 028BC060 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: K.$K/
                                                    • API String ID: 0-4103799487
                                                    • Opcode ID: 2f83b972292a3026a99f843fa4f506976e46ced3d2c4016975ad3f2a260b7de1
                                                    • Instruction ID: 928073cc7d7c1ac7359df71721d3c02ad14498f81d7bd48a27ef6cc481bfbfb0
                                                    • Opcode Fuzzy Hash: 2f83b972292a3026a99f843fa4f506976e46ced3d2c4016975ad3f2a260b7de1
                                                    • Instruction Fuzzy Hash: B1711B355006049BC35ADF24D69059BBBB6FF80304354CA6D814A8BBA4EF76F90ACFC1
                                                    Function 028BC070 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: K.$K/
                                                    • API String ID: 0-4103799487
                                                    • Opcode ID: 7157e09f3d2bd7fdc3755ca0662890fd7ac7c16e8bb1f1a7ea010b9ac168570b
                                                    • Instruction ID: 93705e664f7c05f8aa914a2af40b89c8bd188733aeb06732cc421dcab7d0626d
                                                    • Opcode Fuzzy Hash: 7157e09f3d2bd7fdc3755ca0662890fd7ac7c16e8bb1f1a7ea010b9ac168570b
                                                    • Instruction Fuzzy Hash: F3710A355406049BC35ADF24D65059BBBB6FF84304350CA6D814A9BBA4EFB6F90ACFC1
                                                    Function 028B385A Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq
                                                    • API String ID: 0-600464949
                                                    • Opcode ID: da38325a74d6e594799e823a5ebcd517b0a7a10659b58de9be9f52a3029a85bb
                                                    • Instruction ID: 7248be12b8679666ae40f65c760663a967c40ce57a67b2b5443a4e369dc69b98
                                                    • Opcode Fuzzy Hash: da38325a74d6e594799e823a5ebcd517b0a7a10659b58de9be9f52a3029a85bb
                                                    • Instruction Fuzzy Hash: 33A13178B002199FDB06DFA9D954AEEBBB7EF88310F104069E805E7365DB359C06CB51
                                                    Function 028BBEAF Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q
                                                    • API String ID: 0-52440209
                                                    • Opcode ID: bff3eee596e465d119257684c85ead3109461a2bca1f89e9ada0281b14f5c2a0
                                                    • Instruction ID: 6a48db664e25ca857569f6cdf4f20fe52708499017ad5e05a701b75182db5126
                                                    • Opcode Fuzzy Hash: bff3eee596e465d119257684c85ead3109461a2bca1f89e9ada0281b14f5c2a0
                                                    • Instruction Fuzzy Hash: AF418034B001048FC744DF6DC498A6EBBF6FF88710B6584A9E50ADB3B1CA70EC028B91
                                                    Function 028BBEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Te]q
                                                    • API String ID: 0-52440209
                                                    • Opcode ID: e5f6ef4ee33b92275c2656c9a5b66b1ddc1ed6ead770d1050856d473644afa55
                                                    • Instruction ID: 97da27587bc4c6710431c2ead116aa34368fd7b4b235a892ca1d4b08b014f8ad
                                                    • Opcode Fuzzy Hash: e5f6ef4ee33b92275c2656c9a5b66b1ddc1ed6ead770d1050856d473644afa55
                                                    • Instruction Fuzzy Hash: F6415D34B005048FC744DF6DC498A6EBBE6FF88710B6584A9E50ADB3B5CA71EC018B91
                                                    Function 028B2B10 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: 160f0b1fb04e37f36132b7de7215c95211f27aaeca2409bcc3db93ec7da8a32e
                                                    • Instruction ID: f42fc2aa0814bac91fb53c077d370b1c87a0ca115c776341dd218ab2a8a73948
                                                    • Opcode Fuzzy Hash: 160f0b1fb04e37f36132b7de7215c95211f27aaeca2409bcc3db93ec7da8a32e
                                                    • Instruction Fuzzy Hash: 17311C347102058FD709AB79C45866E77B2EFC9A1872081ADD10ACB3A5DF35DC47CB96
                                                    Function 028B4237 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq
                                                    • API String ID: 0-600464949
                                                    • Opcode ID: e7a7e3bd8db82e517ffa4297ff11e14cc27a1893836ba5f5c8a1001727d5e311
                                                    • Instruction ID: 1fb9c014f2739d0c40df29fdeb6b0bbcca260b509c91454e929f4bde58e994a8
                                                    • Opcode Fuzzy Hash: e7a7e3bd8db82e517ffa4297ff11e14cc27a1893836ba5f5c8a1001727d5e311
                                                    • Instruction Fuzzy Hash: F411E126A082800FC30B577968655BE7FB7DFC221174885EEC885CB797CE68990BD792
                                                    Function 028B1049 Relevance: .8, Instructions: 841COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9930edf8d7267a1a657a7929aa6b6e06ea9d59f11129983f403b13a57dd603fa
                                                    • Instruction ID: 27fa81c7dd4bda00aaa956524a2938c7359cc8069476792fbe0c709ad4c70710
                                                    • Opcode Fuzzy Hash: 9930edf8d7267a1a657a7929aa6b6e06ea9d59f11129983f403b13a57dd603fa
                                                    • Instruction Fuzzy Hash: DD82E2B8640209DFDB06EBE5E654B6E7B7BEF88300F104814D801273ADCB396D56DB26
                                                    Function 028B1058 Relevance: .8, Instructions: 835COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c46e3d798aa5b43fd025d87369164872b3f8d361dec271326961909690804613
                                                    • Instruction ID: ba68530efab6e06a0be09fc518cc0213c0b1e2ff35f8d8abde20cef3f25b8b84
                                                    • Opcode Fuzzy Hash: c46e3d798aa5b43fd025d87369164872b3f8d361dec271326961909690804613
                                                    • Instruction Fuzzy Hash: C982D2B8640209DFDB06EBE5E654B6E7B7BEF88300F104814D801273ADCB796D56DB26
                                                    Function 028BB0B0 Relevance: .7, Instructions: 680COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48e6f26597bd6c074ec80ba21d4453ab57283ba133770544b982d2bc32bdc8d5
                                                    • Instruction ID: 8c5d1d289c6b49c4a017ee5de658c06679160be6c061b134192e82d04a4cdd62
                                                    • Opcode Fuzzy Hash: 48e6f26597bd6c074ec80ba21d4453ab57283ba133770544b982d2bc32bdc8d5
                                                    • Instruction Fuzzy Hash: AC523878A01200CFCB1AEF64D55896977B2FF89309B54886DD80ADB3A5DB71EC42CF90
                                                    Function 028BAFA1 Relevance: .2, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b67b67c8a88b1951e46b2314cf89537365fda12f9e1507783fab6c1e62463896
                                                    • Instruction ID: 08950bc2727739035cdd15696f51822b09f8c3fafd3e16bec879f957b4197a85
                                                    • Opcode Fuzzy Hash: b67b67c8a88b1951e46b2314cf89537365fda12f9e1507783fab6c1e62463896
                                                    • Instruction Fuzzy Hash: 4961D5759093D04FC7039B78D8A05D97FB5EF83204B0A41EBC095CF1A7DA68980ECBA6
                                                    Function 028B3892 Relevance: .2, Instructions: 183COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be60d051d717a33dc20ab129caec8cc13859d0a2ee02470de0d6d7756a0b21ca
                                                    • Instruction ID: 2bc83a67e564af40c49233e19e596c5881038bc2ce64c1ad64c2e50ac9d9ee04
                                                    • Opcode Fuzzy Hash: be60d051d717a33dc20ab129caec8cc13859d0a2ee02470de0d6d7756a0b21ca
                                                    • Instruction Fuzzy Hash: 42712078B40219DFCB06DFA9E954AAEBBB6FF88300F104459E805A7369CB359C46CF54
                                                    Function 028BBB99 Relevance: .2, Instructions: 174COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f1833daca1a6dd14343a1932cac0636ac6a500bbb965fe4238f88c83a8193b53
                                                    • Instruction ID: 15c7b6332d879e3aa23b7ae98b07c5e5e3c39bc1af3e3008f16ffe1d28a1124f
                                                    • Opcode Fuzzy Hash: f1833daca1a6dd14343a1932cac0636ac6a500bbb965fe4238f88c83a8193b53
                                                    • Instruction Fuzzy Hash: 7581F7BC901205CFCF16EF94E689D69BBA6FF84308B55C568D5058B3A9C774E84ACF40
                                                    Function 028B5A91 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d31f89ff8731c558bc1a6cd925c7fedbb2f00ff1a8926d596a6e73a08cbf87ab
                                                    • Instruction ID: 9845fa4c7231f0cef8d4ce4834b3df8ee245564212267e42cad4c0cda643ac06
                                                    • Opcode Fuzzy Hash: d31f89ff8731c558bc1a6cd925c7fedbb2f00ff1a8926d596a6e73a08cbf87ab
                                                    • Instruction Fuzzy Hash: 5C514B78B002068FCB05DF68D594AAABBF6EF8D314B5140A9E509DB365DB34DC05CB51
                                                    Function 028BC798 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bfca8bbd48827dc755e01e6adc6c8b98bcfcebdfce313cc35e7985cb61d3e5cf
                                                    • Instruction ID: 235c50a9ec77afc4b2f46b870317066717ddcca6fc8a209502a2f268582bb9cb
                                                    • Opcode Fuzzy Hash: bfca8bbd48827dc755e01e6adc6c8b98bcfcebdfce313cc35e7985cb61d3e5cf
                                                    • Instruction Fuzzy Hash: 0A51F6356407009FC35A9F24D94089BBBB6EF85304354CA6EC18A9B664DF76F90ACFC1
                                                    Function 028B5240 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6d68956b7f781b480e2e0499478caa63dd7e7264dd97083542a43826a80609b5
                                                    • Instruction ID: babd8f602351f4457b5b07212798432cfe1efbb74d29fc0412be9f6b007e0810
                                                    • Opcode Fuzzy Hash: 6d68956b7f781b480e2e0499478caa63dd7e7264dd97083542a43826a80609b5
                                                    • Instruction Fuzzy Hash: A1512D38A002189FCB15DFA9D494AEEB7B2FF88715F548169E805E7364DB34AD42CF90
                                                    Function 028B2850 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6d766f8a3fa02ca1d3a3cc66eb37b21f2e82cfa0b5d7a36f045e67d29e6bf8bb
                                                    • Instruction ID: 02d0ada13adef7ce1542a444b4838a2e68ceff9ad05e8f58c1f0fc2b1d4130a8
                                                    • Opcode Fuzzy Hash: 6d766f8a3fa02ca1d3a3cc66eb37b21f2e82cfa0b5d7a36f045e67d29e6bf8bb
                                                    • Instruction Fuzzy Hash: 6441E638E40209CFDB15EFA4D984AEEBBB6FF89340F104529D905A7369DB35984ACF50
                                                    Function 028B5308 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d53a593b245010f0307e345e0de3646c5260aaabf28a2494b57eea46af4105e0
                                                    • Instruction ID: e2bd95cc7be8245cf674c9a339e01a23cdf57ba00bce5bd252bf23f3ff2a3e10
                                                    • Opcode Fuzzy Hash: d53a593b245010f0307e345e0de3646c5260aaabf28a2494b57eea46af4105e0
                                                    • Instruction Fuzzy Hash: 7F41F938A001189FCB45EFA5E494AEDB7B2FF88315F548469E806E7364DB34AD42CF50
                                                    Function 028B2842 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aaa21b2c659a4df87a39b4be4ab7f21f5bfc10b2cfd7291713d6e154e5f0a89d
                                                    • Instruction ID: 81967a3d1c9dd23fec44f35abbb6adfe7f0910ca9817d5d6a37c25aee3017c41
                                                    • Opcode Fuzzy Hash: aaa21b2c659a4df87a39b4be4ab7f21f5bfc10b2cfd7291713d6e154e5f0a89d
                                                    • Instruction Fuzzy Hash: 78315D34E40209CFDB16EFA4E584AEEBBB6FF89300F104529D905A7269DF35985ACF10
                                                    Function 028B2C48 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0ae7173c2a638d8dd72bfc66d7b9d065c4f0ef8d5e8f3c585338679213e96036
                                                    • Instruction ID: d5fd3c206f7efb2751bc98ecc16b55f3d8e0b18ded4002415f298ef5a1a12c6b
                                                    • Opcode Fuzzy Hash: 0ae7173c2a638d8dd72bfc66d7b9d065c4f0ef8d5e8f3c585338679213e96036
                                                    • Instruction Fuzzy Hash: CE41523490020ACFCB06EFA8D584AEE7BB6FF48314F104569D905A7368DB35A956CF90
                                                    Function 028B4B50 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d4e9095ef48420c672c1e9e276c4c2b8a12fd200a0a8b8f94184f4245b09de87
                                                    • Instruction ID: 5b0b9397a573471a4bf5a6cdca3cdbea85618b100d4c5ce78063c9882d366ecc
                                                    • Opcode Fuzzy Hash: d4e9095ef48420c672c1e9e276c4c2b8a12fd200a0a8b8f94184f4245b09de87
                                                    • Instruction Fuzzy Hash: 2321D5302042415FC70AEB78E890E5E7BBBEF85310B048A69D4458B66ADF74AC0ECB91
                                                    Function 028B2C58 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 285de1bb1bbc5ab9ee7d9f9ad8826714c38fd9908cd77d7e9ef7778003a3b7e5
                                                    • Instruction ID: a34c502c0198eedefa8fc7f46ceee7e2037da8a0db3012caec3b056bc69d11f0
                                                    • Opcode Fuzzy Hash: 285de1bb1bbc5ab9ee7d9f9ad8826714c38fd9908cd77d7e9ef7778003a3b7e5
                                                    • Instruction Fuzzy Hash: 6A312F74A0020ACFCB09EFA8D584AEE7BB6FF48314F104569D905A7368DB35A956CF90
                                                    Function 028B288D Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eb22e061880d0c496ce79f65cc4c0544bce2024e524aa27155b85c9f7c776360
                                                    • Instruction ID: 2e2922689b8e7a38e9962beb57db4cb7fc91b8eb48cecfaf8bfb2d17f1804db1
                                                    • Opcode Fuzzy Hash: eb22e061880d0c496ce79f65cc4c0544bce2024e524aa27155b85c9f7c776360
                                                    • Instruction Fuzzy Hash: B9311B38E40209CFDB16EFA4E584AEDBBB6FF88340F104529D905A7368DB359846CF10
                                                    Function 028BCEC0 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a4b1f9f20dcaf3b6c7e3462fb5a74c54dbfe33db598b4d405878307aaa93a597
                                                    • Instruction ID: 58d143a056763ba709e4d648902966a67a36e133004896c05c008e9c3ea78ca8
                                                    • Opcode Fuzzy Hash: a4b1f9f20dcaf3b6c7e3462fb5a74c54dbfe33db598b4d405878307aaa93a597
                                                    • Instruction Fuzzy Hash: F2213578C01248DFEB15CFA8D5497DDBFB2AB48314F2480AEE809A7780CBB95846CF50
                                                    Function 027ED0EC Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3312785009.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_27ed000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b4a33b7bf48adca380d10887f9600a3d2be371f86499a871bf0df3480d652848
                                                    • Instruction ID: 770aab62649c47a98356aa5ab99eaadf82e2c92e3bf8f2aea638b88cea8bda05
                                                    • Opcode Fuzzy Hash: b4a33b7bf48adca380d10887f9600a3d2be371f86499a871bf0df3480d652848
                                                    • Instruction Fuzzy Hash: 3F21D5B16042449FDF24EF24D9C4B26BBA9EB8C314F21C66DD90A4B351C33AD846C672
                                                    Function 027EE1DC Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3312785009.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_27ed000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ae0689dba0d3d7ab745657c57854733d5d260360eea499afd7e11eec0fbe23e
                                                    • Instruction ID: ffdf3183bb62f2f08895fa1c5dcd6722ca412bece40c06b50fc16212623ca28a
                                                    • Opcode Fuzzy Hash: 2ae0689dba0d3d7ab745657c57854733d5d260360eea499afd7e11eec0fbe23e
                                                    • Instruction Fuzzy Hash: 5721C3B16046449FEF14DF28D5C4B26BBA9EB88724F20CA6DD90A4B395C33AD446C672
                                                    Function 028B4B80 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29996b1d5975e71de6d358cf2e1a36753d769ef85e1f6ca7556befc1f14d4098
                                                    • Instruction ID: dc116327f514b04a58af39dc1aa061a5578a8f7c9af05c054dfb65ec492db8f8
                                                    • Opcode Fuzzy Hash: 29996b1d5975e71de6d358cf2e1a36753d769ef85e1f6ca7556befc1f14d4098
                                                    • Instruction Fuzzy Hash: CE21A1306002015FC70AEB79E880E6E77AFEF84310B408A39D0098B229DF74ED4ACB95
                                                    Function 028BCED0 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a64cd6bbb70634053a74e4795322c19a179cec2e7db8ae1edefd27c9d92c999e
                                                    • Instruction ID: 738da0635eb78b815179a5f6cd86fcc79880f8f221f11bbb1e1b60aa8908b7c0
                                                    • Opcode Fuzzy Hash: a64cd6bbb70634053a74e4795322c19a179cec2e7db8ae1edefd27c9d92c999e
                                                    • Instruction Fuzzy Hash: 2A212378900248DFDB15CFA8D549B9EBFB6AF48314F20805AE809A7780CBB99845CF90
                                                    Function 028B5C43 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13b6b0c0eb02c71cc21e491a3cf04bce012e13269175d287e8429eab7126c1c0
                                                    • Instruction ID: 574df03bad7efc157fd17802bb39dc2c61cee97d328b0911d0c1b041ac16d046
                                                    • Opcode Fuzzy Hash: 13b6b0c0eb02c71cc21e491a3cf04bce012e13269175d287e8429eab7126c1c0
                                                    • Instruction Fuzzy Hash: B221A438A042988FDB02CBA9C5A8BDDBFF1AF49310F1801A9D445FB362C7355D45CB60
                                                    Function 028B2908 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 63853ceeff00ee500d2ff968953b1ddd774b0d74118dddc72484ebafbd703e68
                                                    • Instruction ID: c0d84562ea09973e6a6ee152bfd4012eb97a3a2b67659e75ef2d716d2398ff2d
                                                    • Opcode Fuzzy Hash: 63853ceeff00ee500d2ff968953b1ddd774b0d74118dddc72484ebafbd703e68
                                                    • Instruction Fuzzy Hash: A521E738E401099FDF15EFE4D9809EDBBB6FF88344F108129D919A7269DB34981ACF11
                                                    Function 028B5C68 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fdb34f9b97b896f04a83a713c55a0de085ee063643a69064c57d25c02abe09df
                                                    • Instruction ID: e46e35d2eccd45e326b95c2a6ba2489afe02f4a25b02f88a355397f469df0773
                                                    • Opcode Fuzzy Hash: fdb34f9b97b896f04a83a713c55a0de085ee063643a69064c57d25c02abe09df
                                                    • Instruction Fuzzy Hash: FB216A39A002188FDB05DBA9D598BDDBBF1AF4C310F6400A9D405FB360DB39AD44CBA0
                                                    Function 028B6888 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4e07c89b72767bd51196c6e1e2d4acd658c48920ea686a78ffce1171e0a05603
                                                    • Instruction ID: 8c7f2d854e91b41dd0b75ca94e0d2e08f624d8f25748410ddc0472fe7bd098f6
                                                    • Opcode Fuzzy Hash: 4e07c89b72767bd51196c6e1e2d4acd658c48920ea686a78ffce1171e0a05603
                                                    • Instruction Fuzzy Hash: FB216D7990021ACFDB15CBA4C6097EEBBF5AF49305F108069C009EB351EB758A05CF51
                                                    Function 028BC000 Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 03f6651ce4273d30370cdfd5505ae5c46986f6ad254b3ab03335eeef2d48f988
                                                    • Instruction ID: 0ca0a833e659e1042fc72fa193f5fbcdd1956c705514577eeb0fc96f2f8632dc
                                                    • Opcode Fuzzy Hash: 03f6651ce4273d30370cdfd5505ae5c46986f6ad254b3ab03335eeef2d48f988
                                                    • Instruction Fuzzy Hash: 7211CE347002498FCB05DF28E888D99BBBAFF45718B0140A9E506CB336CB71ED06CB80
                                                    Function 028B296A Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee77dadd0aec3ce811343eededd095a2ff4b023fe9623d308dd0f8d55f9b58da
                                                    • Instruction ID: 1d61b361efaff059206395d68b70a73aa165161126c1749b128bc288ecc04b79
                                                    • Opcode Fuzzy Hash: ee77dadd0aec3ce811343eededd095a2ff4b023fe9623d308dd0f8d55f9b58da
                                                    • Instruction Fuzzy Hash: B8219738D402089FDF15EFA4D9849DDBBB6FF48300F104129D909A7369DB35A956CF51
                                                    Function 028B41A2 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d0eac556477fabb334f5092931f26e075d07c48a913c16711d17ef7e81f9c5d0
                                                    • Instruction ID: 5424246769c6750e2ccd2000535ec3c3c75b1c397eecf96a6079f12c25dee561
                                                    • Opcode Fuzzy Hash: d0eac556477fabb334f5092931f26e075d07c48a913c16711d17ef7e81f9c5d0
                                                    • Instruction Fuzzy Hash: 6E01DE31B092816FC30B6B75A8644AF7FBBDF8622076844DBD845DB243CE215C0BCB66
                                                    Function 028B5911 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a5ec46082745090a82b068878805061e094c8a0eeded1cdef4191b134a1dcbd0
                                                    • Instruction ID: cbe6c3ef8ebb21864e7aa801757835cfac5ec5b640e3b97fe7c22d97b3070651
                                                    • Opcode Fuzzy Hash: a5ec46082745090a82b068878805061e094c8a0eeded1cdef4191b134a1dcbd0
                                                    • Instruction Fuzzy Hash: D801B5367092909FC3425B79E4A59A9BF76EF8B36431884EED545CB363CA318C06CB61
                                                    Function 027ED0E7 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3312785009.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_27ed000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                    • Instruction ID: c9563e1fd34cd32f4ad153a977a8335aca900b0f0b6efe04db4261220a80a401
                                                    • Opcode Fuzzy Hash: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                    • Instruction Fuzzy Hash: 4B11A0B5504280CFDB25DF14D5C4B15BFB1FB89314F24C6ADD84A4B652C33AD44ACB62
                                                    Function 027EE1D7 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3312785009.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_27ed000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                    • Instruction ID: 1b655c8fee7dadac2ad9fd770c46f09020b3ec914ba9f923eea3cdca2aae80d8
                                                    • Opcode Fuzzy Hash: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                    • Instruction Fuzzy Hash: 8111A0B5504680CFDB15DF24D5C4B26BFA1FB48324F24CAADC84A4B692C33AD44ACB62
                                                    Function 028B32E0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08ea73a1333503ece9b25bdfafc72b2cefa3e93c55c6a766b67719070c7c59ca
                                                    • Instruction ID: 543100a0a8376e0e439802679ebe1c5fa7accbb8bef998765c217df984eb372e
                                                    • Opcode Fuzzy Hash: 08ea73a1333503ece9b25bdfafc72b2cefa3e93c55c6a766b67719070c7c59ca
                                                    • Instruction Fuzzy Hash: 3A114F38E401448FCB469BB8E468BEE7BB2AB89311F04485DD94297356DF39981BCF51
                                                    Function 028B5940 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 43ced784ecfe6994fd08268fc66326f06c390fe7e73a50ed315841dadfedf824
                                                    • Instruction ID: eacf0ab9007f965af2e52f0bddde20cbecc29b45b6cec56af791e796f5137f8c
                                                    • Opcode Fuzzy Hash: 43ced784ecfe6994fd08268fc66326f06c390fe7e73a50ed315841dadfedf824
                                                    • Instruction Fuzzy Hash: A30144767002109F8705AB69F49895EB7ABEBC9761350857EE609C7312DE32DC16CBA0
                                                    Function 028B2A80 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 435f6acaef42ac1b73eb6e99bc4626cea0f1881bab6af8d9f77610cf8d2c9939
                                                    • Instruction ID: 404b4cb44b9f9b4ff1176f561097082f563578f5fba294423443d6c83ea214e9
                                                    • Opcode Fuzzy Hash: 435f6acaef42ac1b73eb6e99bc4626cea0f1881bab6af8d9f77610cf8d2c9939
                                                    • Instruction Fuzzy Hash: 66015E386106404FC712AB78D45989A7BF6EF8531471489AED18ACB725DB75EC098FC2
                                                    Function 028B32F0 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c7b7f46bb2600531e52f7708a5c05ba3833516c8bcda09c1d916071aaa962ae
                                                    • Instruction ID: 2814d371dcd966982fabd7d699ca194b6ed25c915d8d416b291a5676e9c2582a
                                                    • Opcode Fuzzy Hash: 6c7b7f46bb2600531e52f7708a5c05ba3833516c8bcda09c1d916071aaa962ae
                                                    • Instruction Fuzzy Hash: 5D014038E401048FCB46EFB8E468B9E7BB6EB89311F04486DD90297356DF399816CF51
                                                    Function 028B41E0 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d26647f1358403f1e1df93ad8aafa50cc7b141d7aaf942ede5f08e2f1af874fc
                                                    • Instruction ID: 62ce161082c97cef71f42adce91486ddfd63b70efc950da4cc76810c116f9e80
                                                    • Opcode Fuzzy Hash: d26647f1358403f1e1df93ad8aafa50cc7b141d7aaf942ede5f08e2f1af874fc
                                                    • Instruction Fuzzy Hash: 03E0E531B041056F8709A6AA78949AF76AFEBC9260794086AE10DD7300CE216C018BAA
                                                    Function 028B6390 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ba6f9f064cfbc3db179af37a58c7ead0b870b240ec81472b01147e1d672bc294
                                                    • Instruction ID: cd196c8dfc51db629d0b25df54faf30f1e619e2ce722ec01bb13ea00c1d95022
                                                    • Opcode Fuzzy Hash: ba6f9f064cfbc3db179af37a58c7ead0b870b240ec81472b01147e1d672bc294
                                                    • Instruction Fuzzy Hash: BDF09034D00248AFCF45EFB8A5555DDBFB6DF89200F1045A8D448E7205EA314E06DF11
                                                    Function 028B2D92 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9483e89929d2e3e2998103573c86b3e3cea4a6638f3b1514f83a9e4ce2e31d2
                                                    • Instruction ID: 7346edcb8ffad9bc2004b1ffcf8a2d23a3bd0c109d486656547b1842bd464e88
                                                    • Opcode Fuzzy Hash: b9483e89929d2e3e2998103573c86b3e3cea4a6638f3b1514f83a9e4ce2e31d2
                                                    • Instruction Fuzzy Hash: 9CF0B874A100598FCB82EFBC94092DE7FF4EF49200B1040A9C949E7322EA709912CB81
                                                    Function 028B6398 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 25e339197d9f8cd1cd75ca7cbff1e83c5954f63bb180964054046c49f38df238
                                                    • Instruction ID: 6ed72559441306df44afad09615ee70455b25096034c073dad47d160f78983b5
                                                    • Opcode Fuzzy Hash: 25e339197d9f8cd1cd75ca7cbff1e83c5954f63bb180964054046c49f38df238
                                                    • Instruction Fuzzy Hash: 24F01238E00209EFCB45EFB8D54559DBBBADF44200F5045A99408E7355DA315E05DF51
                                                    Function 028B1FF8 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5782bec0e279760c6b1010ebbbc5a62821b32b009176cddd5e745c6fc406c51f
                                                    • Instruction ID: 0435fdb7615bc42be77bf84214818a0c8c4c6935392e46d913fb19487cffdf37
                                                    • Opcode Fuzzy Hash: 5782bec0e279760c6b1010ebbbc5a62821b32b009176cddd5e745c6fc406c51f
                                                    • Instruction Fuzzy Hash: 86E0ED38B452814FCB121778D02849A7FE9DE8A20230404E6E546CB333CD20D827C711
                                                    Function 028B2DA0 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c747a19c0e1ab6332fa8393437998973b25b8faf56942130387ec931163eeed5
                                                    • Instruction ID: 07e551983c98dd4bc95552be556483b023df19c437654315edbdd5f668c01ea1
                                                    • Opcode Fuzzy Hash: c747a19c0e1ab6332fa8393437998973b25b8faf56942130387ec931163eeed5
                                                    • Instruction Fuzzy Hash: C5E0ED75E101188F8B85EFBDD9096DE7BF9EF49310B1140AAD519E7311EB709D018B91
                                                    Function 028B374F Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 33f25c37561a68dc4ecfe0de6cb875fbe375197e3b0d5a983e26100be23558f3
                                                    • Instruction ID: a0df0684f130154c3f76560847e545d00d9dca5ddfac5115ec3a975403e196b9
                                                    • Opcode Fuzzy Hash: 33f25c37561a68dc4ecfe0de6cb875fbe375197e3b0d5a983e26100be23558f3
                                                    • Instruction Fuzzy Hash: D3E0C23AB041102B8766523A60544FE67B7DFC8271318807ADE0DC3709FF308C078795
                                                    Function 028BDD40 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13d600548781e5160cbc96d4ff9b98dfb040af615dd193c5e20e68ff66b65c47
                                                    • Instruction ID: 590291762524ad9eda191a9679ae77a1cbdea78ca2e75e3d5b84e9529c55dc93
                                                    • Opcode Fuzzy Hash: 13d600548781e5160cbc96d4ff9b98dfb040af615dd193c5e20e68ff66b65c47
                                                    • Instruction Fuzzy Hash: A6D012362519248F8751D768E544896B7E8EF4A6653004595E94DC7B20CB61FC0086D0
                                                    Function 028B66C8 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a580ced609f74824ad33bbdce3c1db85abe6180edb726730effd077160fccab4
                                                    • Instruction ID: 714766b85d0100871081855721cf9c8dfba8c9f36cbf3e7ce904c6425458466c
                                                    • Opcode Fuzzy Hash: a580ced609f74824ad33bbdce3c1db85abe6180edb726730effd077160fccab4
                                                    • Instruction Fuzzy Hash: B1D05E327092A08F83071B5CB8140D9BBAADE8B22135911E7F105DB357CE244C46D792
                                                    Function 028B6469 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40aab3b49f22d0486360e445fff54146b1abc23923ad3f0ab7420cebadc7fcda
                                                    • Instruction ID: e36f962804066f3345d1f5c40e260cef3d15a9929f9bda378820b17b4f3518d4
                                                    • Opcode Fuzzy Hash: 40aab3b49f22d0486360e445fff54146b1abc23923ad3f0ab7420cebadc7fcda
                                                    • Instruction Fuzzy Hash: 7ED017796442408FC348AB68D195816BBAAEF8D36071040EAE008CB37ADA28D882CB15
                                                    Function 028BCFFE Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a45fe9268c15dc89b33a5de31093ecb0f33a65897ff643bbd6956d614adc6339
                                                    • Instruction ID: c8edb8371ddaf36eae2d9bae0dfe07f0ade3211a29736bf8d77c8a81e2c4e8de
                                                    • Opcode Fuzzy Hash: a45fe9268c15dc89b33a5de31093ecb0f33a65897ff643bbd6956d614adc6339
                                                    • Instruction Fuzzy Hash: 0FD05E3C01520196FF21061191493A52D525F80219F14902DB40E866D0CBF680C7DE20
                                                    Function 028B6478 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8de0e357f532565efd9aa9087f87fa2d8694ff1786f1f5f74da074ce267f07fb
                                                    • Instruction ID: 721d5b4031ca5fb1ae6bc790e2930c44de5e9265e704561211f5ba84efe3099d
                                                    • Opcode Fuzzy Hash: 8de0e357f532565efd9aa9087f87fa2d8694ff1786f1f5f74da074ce267f07fb
                                                    • Instruction Fuzzy Hash: DAC012347402044F8208EB6CD045C1573EEEF8C71071000A5E509C7339CD21EC42C618
                                                    Function 028B5640 Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3315163199.00000000028B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_28b0000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 30c7f75cb52c1a6b0f9e7f29df42aecf1e35e927ec03fa86cf6a8ccdb3bf43fb
                                                    • Instruction ID: 206ab12c6ede4bc825b0c2acf2eeafef8ca8bc979df98a24065984a3145427dc
                                                    • Opcode Fuzzy Hash: 30c7f75cb52c1a6b0f9e7f29df42aecf1e35e927ec03fa86cf6a8ccdb3bf43fb
                                                    • Instruction Fuzzy Hash: D3B02B3854420D5786030525BC08411371DEF412197400198AC0C40213EE23D4214080

                                                    Execution Graph

                                                    Execution Coverage:10.1%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:9
                                                    Total number of Limit Nodes:0
                                                    execution_graph 15907 66d6b4 15908 66d6cc 15907->15908 15909 66d726 15908->15909 15912 96e581 15908->15912 15915 96e5a8 15908->15915 15913 96e5bc 15912->15913 15914 96e5f6 KiUserExceptionDispatcher 15913->15914 15914->15909 15916 96e5bc 15915->15916 15917 96e5f6 KiUserExceptionDispatcher 15916->15917 15917->15909

                                                    Executed Functions

                                                    Function 0096E581 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 987 96e581-96e609 call 96e0c8 KiUserExceptionDispatcher
                                                    APIs
                                                    • KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 0096E602
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.3312868365.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_960000_Pinball.jbxd
                                                    Similarity
                                                    • API ID: DispatcherExceptionUser
                                                    • String ID:
                                                    • API String ID: 6842923-0
                                                    • Opcode ID: b633abcd96f793ca399e84ef88173bebecf3475e2cdd83e48e6b678a6f7f2788
                                                    • Instruction ID: a237b9d668e97fe15ef293438c79b037ea3efacdee9138751670b834c72c9737
                                                    • Opcode Fuzzy Hash: b633abcd96f793ca399e84ef88173bebecf3475e2cdd83e48e6b678a6f7f2788
                                                    • Instruction Fuzzy Hash: CD0126313053458FE304DB69E8A19AA7FF5FF963103104A6BE465CB263DA34AC0BCB61
                                                    Function 0096E5A8 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 995 96e5a8-96e609 call 96e0c8 KiUserExceptionDispatcher
                                                    APIs
                                                    • KiUserExceptionDispatcher.NTDLL(00000000,00000000), ref: 0096E602
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.3312868365.0000000000960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_960000_Pinball.jbxd
                                                    Similarity
                                                    • API ID: DispatcherExceptionUser
                                                    • String ID:
                                                    • API String ID: 6842923-0
                                                    • Opcode ID: c0fc20ccd46671c74fd2520fd48f33a5d22d7661b86395cc5fa75d0b2e17d831
                                                    • Instruction ID: a2271dd85a2a3b19ed8b1e89cb5f67dbb979c010d409e782d024cc3c7fd8c0f4
                                                    • Opcode Fuzzy Hash: c0fc20ccd46671c74fd2520fd48f33a5d22d7661b86395cc5fa75d0b2e17d831
                                                    • Instruction Fuzzy Hash: 9CF062313002189F9704DB9EE8549AF7BBAFFD92607504529E515D7364DA35AC0587A0
                                                    Function 0066DA58 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.3308370383.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_66d000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3480b6b65fddf12b0611d4b8b5650af60119afeb6c24df934c8cff3eb79e6325
                                                    • Instruction ID: 4bcf1ec9dbff16ca18b4d88d3f4395a364764d719e7786e464e0c72e658b5dc5
                                                    • Opcode Fuzzy Hash: 3480b6b65fddf12b0611d4b8b5650af60119afeb6c24df934c8cff3eb79e6325
                                                    • Instruction Fuzzy Hash: 8121D3B5A48244DFCB05DF64D9C0B26BB66FB88314F24C669D9094A356C33AD806DBA1
                                                    Function 0066D6B4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.3308370383.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_66d000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6234064b566eac656bbdd1037bb67c9be7d45b9ad52270b3772f3335d49459a4
                                                    • Instruction ID: 1358c923b0190e9694c9d824a7c2f400859aa502d7f20c5b0cb2615554b65fe0
                                                    • Opcode Fuzzy Hash: 6234064b566eac656bbdd1037bb67c9be7d45b9ad52270b3772f3335d49459a4
                                                    • Instruction Fuzzy Hash: 19210475A04244EFCB05DF24D9C0F26BF66FB88314F20C56DE8094B392C73AD806CAA2
                                                    Function 0066D0EC Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.3308370383.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_66d000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a0a00568c88449fed3ff896124d80a7ba89f3c6339a1277188f9b56b28736e4b
                                                    • Instruction ID: a7a1016d914a87238560aa0a3a87ce70c1360fdaf18f536a17003da84086b0a2
                                                    • Opcode Fuzzy Hash: a0a00568c88449fed3ff896124d80a7ba89f3c6339a1277188f9b56b28736e4b
                                                    • Instruction Fuzzy Hash: 922105B1B042449FDB14EF24D9C0B26FBA6EB95314F20C66DD9094B351C3BAD806C6A1
                                                    Function 0066E1DC Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.3308370383.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_66d000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 62c5be9bf060f3c5a9f4f616e819601b7f1edac0de6f29091a3a585e2dadd320
                                                    • Instruction ID: 39e2b2bfeabd45d202521595166ef884dcc1b66a3633c25834d4f52a9cc4ad41
                                                    • Opcode Fuzzy Hash: 62c5be9bf060f3c5a9f4f616e819601b7f1edac0de6f29091a3a585e2dadd320
                                                    • Instruction Fuzzy Hash: 0E2123B46042409FDB14DF24D5D0B26BBAFEB94314F30CA6DD9094B381C33B9806C6A2
                                                    Function 0066DA53 Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.3308370383.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_66d000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: db46f736a5866ba9c7ba67d80a3dc2bfd20b1a216abf44fb940905ee0eae38f6
                                                    • Instruction ID: dab1819c04b7e929a61f4101db222e4cbb63bec8094cd81871f3a61c3054b9c4
                                                    • Opcode Fuzzy Hash: db46f736a5866ba9c7ba67d80a3dc2bfd20b1a216abf44fb940905ee0eae38f6
                                                    • Instruction Fuzzy Hash: 1A11BEB6A04280CFCB06CF14D9C4B15BF62FB88314F24C6A9D9094B366C33AD81ACB61
                                                    Function 0066D6AF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.3308370383.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_66d000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction ID: 458a5f73322b2fb3aa3c233385da5f4fd1a85880de70faf730fa90e6f584df60
                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction Fuzzy Hash: CF119D79A04280DFDB16CF14D5C4B55BFA2FB84314F24C6AAD8494B756C33AD84ACBA2
                                                    Function 0066D0E7 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.3308370383.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_66d000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                    • Instruction ID: 1748ebf62fd4b390f02d1cb24d80c480eb7f9991eee27ae89cf8731c6d0cca46
                                                    • Opcode Fuzzy Hash: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                    • Instruction Fuzzy Hash: D3110EB1A042808FDB01DF10C5C4B15FBB2FB85304F24C6ADC8494B352C33AD80ACB52
                                                    Function 0066E1D7 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.3308370383.000000000066D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0066D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_66d000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                    • Instruction ID: 4063ee7fc461f9dae9fb5162a84e77fe7d2f139c014f20527c0df038f0238374
                                                    • Opcode Fuzzy Hash: 561e0040fa13a4c8f15330505c2ec777d2b9bad7fdc99719fcd56c8bdcde1cea
                                                    • Instruction Fuzzy Hash: F4110AB95042808FDB11CF20C5D4B25BFA6FB94304F24CAADC8494B392C33BA80ACB52

                                                    Executed Functions

                                                    Function 02A54F58 Relevance: 11.9, Strings: 9, Instructions: 602COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq$(aq$(aq$(aq$(aq$(aq$(aq
                                                    • API String ID: 0-416939441
                                                    • Opcode ID: 2bd2431c13cdb626e1cee5d042f11915d0f5992813b0c85f7779016c1f42e8d8
                                                    • Instruction ID: 946d0d27043e94a73e8e05a17c9aca34cc2e432d3f88df79a1fd72dc2c373359
                                                    • Opcode Fuzzy Hash: 2bd2431c13cdb626e1cee5d042f11915d0f5992813b0c85f7779016c1f42e8d8
                                                    • Instruction Fuzzy Hash: A632B030F002258FDB15DF69D4946AEBBF2AF89310F648169E806EB395DF349D42CB91
                                                    Function 02A53860 Relevance: 4.4, Strings: 3, Instructions: 686COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq
                                                    • API String ID: 0-2593664646
                                                    • Opcode ID: 1e4d3631f87d843327f9a9e8e753aaba45ce298bbddb96f63833aa41b2220ab8
                                                    • Instruction ID: 5f2ed26a48eac265ae39fd6e165d5599aa59f046ee2cfb8817295bdd601c7a40
                                                    • Opcode Fuzzy Hash: 1e4d3631f87d843327f9a9e8e753aaba45ce298bbddb96f63833aa41b2220ab8
                                                    • Instruction Fuzzy Hash: 10428034B002159FDB15EF69D954AAEBBB7EFC8300F148569E806A73A9CF349C06CB51
                                                    Function 02A53750 Relevance: 3.8, Strings: 3, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq
                                                    • API String ID: 0-2593664646
                                                    • Opcode ID: fef3f28b545b1f1367817303f9a8c7cd9b58294ce6663a1470030d274212af9d
                                                    • Instruction ID: 79cf27526daa0abd760be12d2dca76b427934e4f5e01bdbf225ae07b431840e9
                                                    • Opcode Fuzzy Hash: fef3f28b545b1f1367817303f9a8c7cd9b58294ce6663a1470030d274212af9d
                                                    • Instruction Fuzzy Hash: 29214B31B081954FD71BAB39182017F7BA79BD621071881AAFC0AC7786DE288C078396
                                                    Function 02A52B10 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: 57b4d790446331b9f4e141005f355f28f092d39e3a840f5f0d3d9cea3352fac5
                                                    • Instruction ID: 426692b80712bd4bdc7ca4b5c4e4cf13dbf4a93d308d60875961d2295d80a1ac
                                                    • Opcode Fuzzy Hash: 57b4d790446331b9f4e141005f355f28f092d39e3a840f5f0d3d9cea3352fac5
                                                    • Instruction Fuzzy Hash: CC313C307112058FD719AB39C45496E37B2EFC9A18B20816CD14ACB3A4DF39DC03CB96
                                                    Function 02A52B20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: 66a05485574f9be092a56ff6b46da3bf9d983ce2c9877f55de4e43188aa33191
                                                    • Instruction ID: d91d5ad49e07cd69427483a84ecf0506a6e68f75054836433733fce22050e77a
                                                    • Opcode Fuzzy Hash: 66a05485574f9be092a56ff6b46da3bf9d983ce2c9877f55de4e43188aa33191
                                                    • Instruction Fuzzy Hash: CA310C347102158FD719EB39D45491E33B2EBC9A18B208568D50ECB3A4DF39DC43CB96
                                                    Function 02A54248 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq
                                                    • API String ID: 0-600464949
                                                    • Opcode ID: 18941f576d84911ac13b1c0e8528d3fb046e30e7dd1a115ba2404c2c488ef6fb
                                                    • Instruction ID: 9d9e838a657d569dd38debcc2410361f1e7597efa056d2eaf1bb4d0e5273c830
                                                    • Opcode Fuzzy Hash: 18941f576d84911ac13b1c0e8528d3fb046e30e7dd1a115ba2404c2c488ef6fb
                                                    • Instruction Fuzzy Hash: 610168327082500FD70AAB3D68205BF7BA7EFD251074884AED8828F385CE689C47C3D1
                                                    Function 02A51049 Relevance: .8, Instructions: 841COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 46ca4856cc1867cb8429e82bab6461ddf0d7365b6814690617cf53f1108db31b
                                                    • Instruction ID: 6548a63c1c734fb6455d0e052f1874cdcc9e54dbe829eb48098d7b7c280d1d3f
                                                    • Opcode Fuzzy Hash: 46ca4856cc1867cb8429e82bab6461ddf0d7365b6814690617cf53f1108db31b
                                                    • Instruction Fuzzy Hash: AD8271B8600209CFDB16EBA4E754B6E7B7BEF98304F104914E800677ADCB396D55CB26
                                                    Function 02A51058 Relevance: .8, Instructions: 835COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c04f31571273dde692f91728aa0119ab74e9d5c089da07be4681560bf73d1eba
                                                    • Instruction ID: 15e2390fe34cc469aec1c10098cab720acb2c2371398e9d9a5e07d0da2cf1abf
                                                    • Opcode Fuzzy Hash: c04f31571273dde692f91728aa0119ab74e9d5c089da07be4681560bf73d1eba
                                                    • Instruction Fuzzy Hash: 628270B8600209CFDB16EBA4E754B6E7B7BFF98304F104914E804677ADCB396945CB26
                                                    Function 02A5385A Relevance: .2, Instructions: 164COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4a6ab562856cddbc8d065f5a8ddd37a9b12ea8f45a9c2eeee24990dd695a2e5b
                                                    • Instruction ID: 4ef8b022df4eb2f1dd53c2daf2c2e7345bebccac787950395f5612e8630c9e00
                                                    • Opcode Fuzzy Hash: 4a6ab562856cddbc8d065f5a8ddd37a9b12ea8f45a9c2eeee24990dd695a2e5b
                                                    • Instruction Fuzzy Hash: AC612B74A01218EFDF05DFA5E994AAEBBB6BF88310F208165E805A7365DF359C02CB50
                                                    Function 02A53895 Relevance: .1, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f86931e974722a35f07e7228fbb27888d8bad765ad6a616f64bb68f7a735600f
                                                    • Instruction ID: 5aaa769d7612a031362b6bf1d97b07fe7bea65713aad6c1ad7edb00d72551ca6
                                                    • Opcode Fuzzy Hash: f86931e974722a35f07e7228fbb27888d8bad765ad6a616f64bb68f7a735600f
                                                    • Instruction Fuzzy Hash: 22512A74A41218EFCF05DFA9E994AAEBBB6BF88310F208055E805A7365CF35DC02CB50
                                                    Function 02A55240 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f79101d2379ee100a6b20e2d0a7d474e7d34bcca969a326e2b50ce8c98196ceb
                                                    • Instruction ID: d182ca2222a6a855d6e5d311a5fc385ee924d36c68390804f4bc816087f298a9
                                                    • Opcode Fuzzy Hash: f79101d2379ee100a6b20e2d0a7d474e7d34bcca969a326e2b50ce8c98196ceb
                                                    • Instruction Fuzzy Hash: 7A512C30E00228DFCB14DFA5D594AAEB7F2BF88715F548169E809AB264DF349D42CF90
                                                    Function 02A52850 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88b36f2770d2a99bf77479cfec2165d7df4d40861031624e6b6bbd34786b5661
                                                    • Instruction ID: 050e71b5e6edf57c90f324f6bba61910bd5d3b0043585ce34a991f15c6b8cc4f
                                                    • Opcode Fuzzy Hash: 88b36f2770d2a99bf77479cfec2165d7df4d40861031624e6b6bbd34786b5661
                                                    • Instruction Fuzzy Hash: 1341D734E40219CFDB14DFA5D984A9EBBB6FF88305F104629E905AB265DF349846CF50
                                                    Function 02A55308 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6625ca35801812d6c4837229e341a0a83915fa7306d6759f7c7aa0a565303f43
                                                    • Instruction ID: 19c54132057e4b6f5c698f85367e5046499b6c0baede2a308530ed408bb06777
                                                    • Opcode Fuzzy Hash: 6625ca35801812d6c4837229e341a0a83915fa7306d6759f7c7aa0a565303f43
                                                    • Instruction Fuzzy Hash: E741F734E012249FCB15EFA5E5949AEBBB3BF88315F608165E80AA7364DF349D42CF50
                                                    Function 02A52842 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 578bf9cdb81bdc0d7f7f33e3951a67974d0abbbdbbd38694a78c8ffcb4917b31
                                                    • Instruction ID: 9b39a1ac57440ef038e5b7cbf737a831befe2c76239d14cd446e1755364f0069
                                                    • Opcode Fuzzy Hash: 578bf9cdb81bdc0d7f7f33e3951a67974d0abbbdbbd38694a78c8ffcb4917b31
                                                    • Instruction Fuzzy Hash: 46314C30E40209CFDF15DFA4E594AEEBBB6FF88304F144529E902AB264DF349846CB50
                                                    Function 02A52C48 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f070bc2627885c58836c57c1b453f268d7f6a5c372e64d7bdf2af117e8478b7e
                                                    • Instruction ID: bc379d06f5a20889d9b3a51903a7f96cbf50c182e5d11e33bb8f785c4bd7767e
                                                    • Opcode Fuzzy Hash: f070bc2627885c58836c57c1b453f268d7f6a5c372e64d7bdf2af117e8478b7e
                                                    • Instruction Fuzzy Hash: E9416A34A0020ACFCB15EFA8D685AEE7BB1FF59304F104629D805A7768DB349946CF90
                                                    Function 02A54B50 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f467643bcf94ff1f8fde42d19c5164f44cebb5b550ee6baab2d2e4b941c1c83
                                                    • Instruction ID: 8aa7d8a64525b7583854906b79e656a906ada1c9f9215c7bb2103406bfa9efc8
                                                    • Opcode Fuzzy Hash: 7f467643bcf94ff1f8fde42d19c5164f44cebb5b550ee6baab2d2e4b941c1c83
                                                    • Instruction Fuzzy Hash: E52128302043415FC71AEB78E890A9E7BABEF81210B048A79D4458F669DF74EC4ECB95
                                                    Function 02A52C58 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8f17e2e388389d57f5624559a6209fb0b21779135c31e8436e3a81b8482fb72
                                                    • Instruction ID: ef8ddb36a115ff049078733f5314405c7109ab25103077a0c04de08daf863b63
                                                    • Opcode Fuzzy Hash: d8f17e2e388389d57f5624559a6209fb0b21779135c31e8436e3a81b8482fb72
                                                    • Instruction Fuzzy Hash: AE314934E0020ACFCB14EFA4D685AEE7BB6FF58308F104629D805A7758DB34A955CF90
                                                    Function 02A55698 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9e9645f934379e59c8618149b02955f43315f10e9050a4092e9337033b01b6bb
                                                    • Instruction ID: c4b7f7f9b8a3c46f6f8418f5bd57d850e6d07e80ae4317fe8a5687d3bfaf34b2
                                                    • Opcode Fuzzy Hash: 9e9645f934379e59c8618149b02955f43315f10e9050a4092e9337033b01b6bb
                                                    • Instruction Fuzzy Hash: 61218B70F016149FCB14DF69D598A6EBBF6AF88600F644469E806EB364DF71EC02CB50
                                                    Function 02A5288D Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b46a370087a5d37aa0279c6342b77446189b04554e6c89b8a7b24d93e9af171
                                                    • Instruction ID: 40c7c22493ad58fbdf208950552fe626d4d7981a6609743a4ff23ef74f947378
                                                    • Opcode Fuzzy Hash: 6b46a370087a5d37aa0279c6342b77446189b04554e6c89b8a7b24d93e9af171
                                                    • Instruction Fuzzy Hash: E2310D30E40219CFDF14DFA4E594A9EBBB6FF88305F144529D902A7268DF349846CB10
                                                    Function 02A54B80 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e44d78db1d0aae6ae0068e62dd8739767e95e5ba33764640cf3b40c61d0bbb1a
                                                    • Instruction ID: d88722c63bf398082525ef2de19e3ea5198d2ba3f1075f8f428029883e1564ba
                                                    • Opcode Fuzzy Hash: e44d78db1d0aae6ae0068e62dd8739767e95e5ba33764640cf3b40c61d0bbb1a
                                                    • Instruction Fuzzy Hash: 7F2181312002025FD71AEB79E990E6E77AFFFC0210B048A39D4458F668DF74ED4A8B94
                                                    Function 02A52908 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ad95bcb42e8eca72cded15a1a2d7a10e89b554568fd2d6f10ce778a84b618e9
                                                    • Instruction ID: 2090232794f9a5ac64557a1fdd5480687c54dce74a1982c71d0823572fe3d4d4
                                                    • Opcode Fuzzy Hash: 2ad95bcb42e8eca72cded15a1a2d7a10e89b554568fd2d6f10ce778a84b618e9
                                                    • Instruction Fuzzy Hash: 3021D834E00219DFDF24DFA4D990AAEBBB6FF88304F108225D91567268DF349806CF51
                                                    Function 02A5296A Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4686f28f935b1d336b7949e604cf2b42acde517fd7566173fd3716004099268a
                                                    • Instruction ID: a559f53a6ce3709ad32e73532e6cb9d9ae98a520c68a3a83f5428c6f347a18c2
                                                    • Opcode Fuzzy Hash: 4686f28f935b1d336b7949e604cf2b42acde517fd7566173fd3716004099268a
                                                    • Instruction Fuzzy Hash: FA21B734E40218DFDF14DFA4D980A9DBBB6FF88304F104229E915A7365DB349946CB51
                                                    Function 02A541A2 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a10d2ebb8c9cd7c014836d83b767eac0b1f54da09df47fa2391e78c6e3274d68
                                                    • Instruction ID: 7606a628b83a365193e3b0728b2a0705f65161a79ddf4844e46ecccc851d1470
                                                    • Opcode Fuzzy Hash: a10d2ebb8c9cd7c014836d83b767eac0b1f54da09df47fa2391e78c6e3274d68
                                                    • Instruction Fuzzy Hash: 2901D22170E2815FC707A77468600AE7F6AEF86120B2844ABE486DB282CD154C0BC366
                                                    Function 02A532E0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 446468c14e4f15daaeef2b7f1d457d04c633c75b691eb014d3c3d5bfa290d19e
                                                    • Instruction ID: 9d6f6077dc03a2964d478cd1ab4cd621fb73138d2bef3b55944ff8e2f1f2069e
                                                    • Opcode Fuzzy Hash: 446468c14e4f15daaeef2b7f1d457d04c633c75b691eb014d3c3d5bfa290d19e
                                                    • Instruction Fuzzy Hash: 71111C34E80244CFCF059B74E5597AEBBB3EB88311F044869D8469B691DF359817CF50
                                                    Function 02A55940 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: af0eb92453f967a6fba943c5bd32b6096a4e4780164923928928ccb34b2046af
                                                    • Instruction ID: 53b113693f3180db8db43f84bc73305e05c5b0a5be5a153efb05968024f161e7
                                                    • Opcode Fuzzy Hash: af0eb92453f967a6fba943c5bd32b6096a4e4780164923928928ccb34b2046af
                                                    • Instruction Fuzzy Hash: 5801A476700210CF8B14EF69E49485EB7AAFBD9666310857EEA06CB354DE31DC03C7A0
                                                    Function 02A52A80 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1546f482737866ba74d0a2b7fda0bc5a0ce07b98b21267196048d8adb08b905f
                                                    • Instruction ID: 7fe53c9b9d5a5104ace5c13eea10a359b5d322f11f3a5b725abe07a5f47f7290
                                                    • Opcode Fuzzy Hash: 1546f482737866ba74d0a2b7fda0bc5a0ce07b98b21267196048d8adb08b905f
                                                    • Instruction Fuzzy Hash: F3019A356507408FC712AB78D4688AB7BF1EF816107248AAAD48ACF365DF31EC098BC1
                                                    Function 02A532F0 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6a87a9cfe502a3575b2b6799d25e9b8305f02b197b9ff5bd1266499884c074ad
                                                    • Instruction ID: 318e801bd3e6fa439e36f4175d3d86967305253a97907d557726ef1afa182b25
                                                    • Opcode Fuzzy Hash: 6a87a9cfe502a3575b2b6799d25e9b8305f02b197b9ff5bd1266499884c074ad
                                                    • Instruction Fuzzy Hash: A801D735E50244CFDF04EBB4E558BAE7BB3AB88311F004829D9069B694DF799826CB50
                                                    Function 02A52A90 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a7116993d25f6172059a60f30c52321042a7c5a3fb580122f7bdd9c277801ed4
                                                    • Instruction ID: 2b919a22dd1b0de96168ea429697895ff4a388ab8b2f44a1db5be1534dc90313
                                                    • Opcode Fuzzy Hash: a7116993d25f6172059a60f30c52321042a7c5a3fb580122f7bdd9c277801ed4
                                                    • Instruction Fuzzy Hash: 9EF046316106008FC715AB68D45889B7BE6FF84614B1089AAE58ADF364EF75EC088BD1
                                                    Function 02A54237 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cb1df3ff20a350d9d630ccf0a8407f8efce83cc156cc8f6a5055b5ddf17565e4
                                                    • Instruction ID: 381f59e606acd12fc2c9b5ec3a4ff1528fd8245786f72c1affb5aa88d2335f3f
                                                    • Opcode Fuzzy Hash: cb1df3ff20a350d9d630ccf0a8407f8efce83cc156cc8f6a5055b5ddf17565e4
                                                    • Instruction Fuzzy Hash: D5F0E9312046401FC3065B39A4915FE7F77EEC1610B1849A9EC814BA55CE249C4B8BC1
                                                    Function 02A541E0 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 73f17d6d5250af1d4f395ac904acc8e973bad00faa30a870deeeae91779d2adb
                                                    • Instruction ID: 6743fb0932919ab0864d084c5222a7e840834c2b4b2a23034eacf59898807c7a
                                                    • Opcode Fuzzy Hash: 73f17d6d5250af1d4f395ac904acc8e973bad00faa30a870deeeae91779d2adb
                                                    • Instruction Fuzzy Hash: 24E02B317042066FDB09E7AA7C609BF769FFBC8160B54492EF409DB340CF216C0243A9
                                                    Function 02A52D92 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9f46319b675e4c4f02b7b501c9e4659ce9cc0b2f4d5c4ec60155ef22160fc8c6
                                                    • Instruction ID: fd147aae8d2fc4405756c78862e18d4d6fe68494cb9f2f78b1272e284bde9e6d
                                                    • Opcode Fuzzy Hash: 9f46319b675e4c4f02b7b501c9e4659ce9cc0b2f4d5c4ec60155ef22160fc8c6
                                                    • Instruction Fuzzy Hash: 0AF08231E141598FCB45DFBCC4166DE7FF0EF49210B1140A5D949E7322DA708902CB91
                                                    Function 02A51FF8 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8dfc07ea965f36590e6ab54203ad6dbdc7cf6c137289e6b078cc0f38ed030e2
                                                    • Instruction ID: 54e52cbe1e43114247d1b317a9c31a86c4d051815e9e80fc32b5a78a3851b0e1
                                                    • Opcode Fuzzy Hash: d8dfc07ea965f36590e6ab54203ad6dbdc7cf6c137289e6b078cc0f38ed030e2
                                                    • Instruction Fuzzy Hash: 46E092357462818FCB155778D46845ABFF5DF8A21131508EAE586CB732CD24CC17C751
                                                    Function 02A5374E Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0ccc4c8d9369cb31bc55799c43b5f0345337df58dbe64e893c3fec6701f65a89
                                                    • Instruction ID: ab0eaa34b4978163178429090979bd3cc0db520e34c033a61b43fc5bbb48be5b
                                                    • Opcode Fuzzy Hash: 0ccc4c8d9369cb31bc55799c43b5f0345337df58dbe64e893c3fec6701f65a89
                                                    • Instruction Fuzzy Hash: C0E0CD35B00120579735563560945BF67779BC42A57284165FD4DC330CEF358C079795
                                                    Function 02A52DA0 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 84a279be540ee86a2752a0d317e7cf77c2055111b6f89c899313c495169c9bb1
                                                    • Instruction ID: 49f3a3d002c3b7fceb8f85227689f5927d5cfb4f61869a95c5faf808bf3997bf
                                                    • Opcode Fuzzy Hash: 84a279be540ee86a2752a0d317e7cf77c2055111b6f89c899313c495169c9bb1
                                                    • Instruction Fuzzy Hash: F5E06D71E101188F8B84EFBCC8056DE7BF4EF48310B1140AAD509E7310EF709D018B91
                                                    Function 02A52008 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f2c58b38970ce83271f6b131d49ebe5a0135fb395de47e8aaa8615fec8823c32
                                                    • Instruction ID: 71fb0be50196fb943d90490717c678c131385e034468ac0e5d6f2cfd92eaaa91
                                                    • Opcode Fuzzy Hash: f2c58b38970ce83271f6b131d49ebe5a0135fb395de47e8aaa8615fec8823c32
                                                    • Instruction Fuzzy Hash: FFD01235B402148FCF146B7EE41885A77DDDFC96623010866E50AC7320DE75DC1287A1
                                                    Function 02A55640 Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.3356075998.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_2a50000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 042c6535ca35cd818745cf83f928c6b0f19d36a9dbf4151c96d4f4acfa808e6c
                                                    • Instruction ID: e0d50bc49f7dc62d27b0434dd7834889e1a1b6d565db3145c6dc5dcddbc9d634
                                                    • Opcode Fuzzy Hash: 042c6535ca35cd818745cf83f928c6b0f19d36a9dbf4151c96d4f4acfa808e6c
                                                    • Instruction Fuzzy Hash: 1DB02B30940209978A001615AC08412371DEB501193840194BC0804101AE33C4220180

                                                    Executed Functions

                                                    Function 00F14F58 Relevance: 7.9, Strings: 6, Instructions: 394COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq$(aq$(aq$(aq
                                                    • API String ID: 0-2219660067
                                                    • Opcode ID: 078b09e7fd43608285908158bd0a6ac8824367c9ff49b5a1bb01b80b6fda56b7
                                                    • Instruction ID: 71e19fdaefda7e179f7068feb147c240da983888ef556961fe87a062deb12475
                                                    • Opcode Fuzzy Hash: 078b09e7fd43608285908158bd0a6ac8824367c9ff49b5a1bb01b80b6fda56b7
                                                    • Instruction Fuzzy Hash: 9AE17E31A00615CFDB04EFA8D8546EEBBF2AFC8711F24C069E805A7395DB349D82DB91
                                                    Function 00F13860 Relevance: 4.4, Strings: 3, Instructions: 627COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq
                                                    • API String ID: 0-2593664646
                                                    • Opcode ID: 51f7b3d385da92ae7660c3a3d4cfc54a69dd7aaa44df4ccc7ed057fdc394ae26
                                                    • Instruction ID: 2b94afcd53deafe1913cb7ae3adfc8f530c8a54831da5538c293b1360b4da522
                                                    • Opcode Fuzzy Hash: 51f7b3d385da92ae7660c3a3d4cfc54a69dd7aaa44df4ccc7ed057fdc394ae26
                                                    • Instruction Fuzzy Hash: 6F328074B002049FDB05EB69D954AAE7BFBEF88310F148069E906A73A9DF34DC46CB51
                                                    Function 00F11049 Relevance: .8, Instructions: 843COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29e81cd7e1e30a1b322925f672fb9c06bdcd96891fb3d11dc0c0604d7a0f3ef9
                                                    • Instruction ID: 1d74cbec44a85a4218348ca3ab4af5ca1ed1f7fe5e10cac4c032e10f4c602dc0
                                                    • Opcode Fuzzy Hash: 29e81cd7e1e30a1b322925f672fb9c06bdcd96891fb3d11dc0c0604d7a0f3ef9
                                                    • Instruction Fuzzy Hash: 518264B4600609DFDB16EBA5E654B6E7B7BEF98300F108854E800233ADCB396D55DB36
                                                    Function 00F135F0 Relevance: 5.2, Strings: 4, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq$(aq
                                                    • API String ID: 0-3514690552
                                                    • Opcode ID: 0341d54c1589da963009723a55b25c8a5d8ad9fd0adfa8c275bf776fc2d5057c
                                                    • Instruction ID: 9fba153896a5129425f86a97528d079a7a3b839edd535d7c434f5739f8fad0aa
                                                    • Opcode Fuzzy Hash: 0341d54c1589da963009723a55b25c8a5d8ad9fd0adfa8c275bf776fc2d5057c
                                                    • Instruction Fuzzy Hash: 88515A317041411FE719BB79685057F2BABDFC526071884B9F90ADB395DE24DD0783A2
                                                    Function 00F15640 Relevance: 4.0, Strings: 3, Instructions: 212COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq
                                                    • API String ID: 0-2593664646
                                                    • Opcode ID: 5378e78b0a028f330fe3e350d08c163429dea499278738fe100a65a153692e48
                                                    • Instruction ID: fd836c0cb5a533fc4bdb0132ffa07f728140a7188e0387e496c6c40c7c8b7491
                                                    • Opcode Fuzzy Hash: 5378e78b0a028f330fe3e350d08c163429dea499278738fe100a65a153692e48
                                                    • Instruction Fuzzy Hash: F6718974B00605CFD704DB69D494AAEBBF6AFC8720B248069E806E7361DF74DD42CB90
                                                    Function 00F12B10 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: 4888d645527ec87bd00aa6505ce68005d2132cd8b5db80d79f65b9e381a5b272
                                                    • Instruction ID: 33363afd361033b2dc410619fcb04b99d20830f67837ce60232b97f0b2e9b4b2
                                                    • Opcode Fuzzy Hash: 4888d645527ec87bd00aa6505ce68005d2132cd8b5db80d79f65b9e381a5b272
                                                    • Instruction Fuzzy Hash: FF313C307006058FD759EB39D45896E33B2EBC9A19B2080BDD10ACB3A5DF39DC438B96
                                                    Function 00F12B20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: 3623f6fb8c5a2ca4a98feca159230a36f4ce4814a094f56d170d3e4409c67854
                                                    • Instruction ID: dab4060e2ab6db900300cc3def76375ca374ba0bdf3b94de590247d8ec2cf7dd
                                                    • Opcode Fuzzy Hash: 3623f6fb8c5a2ca4a98feca159230a36f4ce4814a094f56d170d3e4409c67854
                                                    • Instruction Fuzzy Hash: 1E3109317106058FD759EB39D55896E33B2EBC9A19B2081B8D10ACB3A4DF39DC43CB96
                                                    Function 00F14248 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq
                                                    • API String ID: 0-600464949
                                                    • Opcode ID: 96347f744e7ddf04b0f60d1b8615631a97a0738a334a2cb9aabe25bbdc0d4283
                                                    • Instruction ID: dd8731290b28442ec945faf813850b504a7ae2d5cdb999c359aaed900ef138f5
                                                    • Opcode Fuzzy Hash: 96347f744e7ddf04b0f60d1b8615631a97a0738a334a2cb9aabe25bbdc0d4283
                                                    • Instruction Fuzzy Hash: 44019C327082800FD30A977D64205BE3B97EFC261074844EEE885CB356CE68ED46D3D1
                                                    Function 00F11058 Relevance: .8, Instructions: 835COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07f24c9d0b191d38a101910b91826661bbb3a2c847a7ca33ae2df35e0b5daf43
                                                    • Instruction ID: 7c4ea6ca031b270898977a1598fd31821b6f4583f42202aace43040c1b124169
                                                    • Opcode Fuzzy Hash: 07f24c9d0b191d38a101910b91826661bbb3a2c847a7ca33ae2df35e0b5daf43
                                                    • Instruction Fuzzy Hash: 778264B4600609DFDB56EBA4E654B6E7B7BFF98300F108854E800233ADCB396D55DB26
                                                    Function 00F1385A Relevance: .2, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29b38b26bab9ada4fc01747635c3c69c9a77853cc4555f6418c4d26affde702d
                                                    • Instruction ID: 570f7721fb82f8d6366fcdb3ad37f6b4ad6e32512f9813d64060596e6f96bf2e
                                                    • Opcode Fuzzy Hash: 29b38b26bab9ada4fc01747635c3c69c9a77853cc4555f6418c4d26affde702d
                                                    • Instruction Fuzzy Hash: EC615B74A01218EFDB05DFA5E994AEDBBB6FF88310F108068E805A7365DB34AD41DB50
                                                    Function 00F15AA0 Relevance: .1, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 50ec014cc99556560da2a822e4a077fe25a573ba9e0f8715d4bc9d134197a9a4
                                                    • Instruction ID: c62a24f176c3ce6de03454e96b5f1d869d3bac76ee7d30b832cd43b48f79b1c0
                                                    • Opcode Fuzzy Hash: 50ec014cc99556560da2a822e4a077fe25a573ba9e0f8715d4bc9d134197a9a4
                                                    • Instruction Fuzzy Hash: 42511875B00605CFCB04DF69D994EAABBF5EF88714B1180A9E50ADB365DB30EC45CBA0
                                                    Function 00F15240 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 47575faf30960bdfd733263522141aee90a09d9e91240055dfd2a60f1a11f98b
                                                    • Instruction ID: e0a2a08175492589da977b108e7dd55d24ca2b5f1c084086f476b952c6ac202e
                                                    • Opcode Fuzzy Hash: 47575faf30960bdfd733263522141aee90a09d9e91240055dfd2a60f1a11f98b
                                                    • Instruction Fuzzy Hash: 1F511B31E00A18DFDB14DFA5D894AEDB7F3AF88715F14C069E805A7254DB749C81DB90
                                                    Function 00F15A91 Relevance: .1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cd97ce69631b6f43740a84669f97caa56824b01b1756db5bf924ad026a3b237d
                                                    • Instruction ID: ab4d3529f4b13a50d7d02fedbb55155f3c9f5de613eaf8e0e119760909780f69
                                                    • Opcode Fuzzy Hash: cd97ce69631b6f43740a84669f97caa56824b01b1756db5bf924ad026a3b237d
                                                    • Instruction Fuzzy Hash: AE415C75B40606CFCB04DF69D984DAABBF5EF88710B1181A9E509DB322DB30EC45CBA0
                                                    Function 00F12850 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1dda0a9fee433457872a66d229c3a0f872985dc53165b2ed2169de895b84f86e
                                                    • Instruction ID: fb081e49cea010685814cbe978d372da741d5bb565f055b2971661c341e6199b
                                                    • Opcode Fuzzy Hash: 1dda0a9fee433457872a66d229c3a0f872985dc53165b2ed2169de895b84f86e
                                                    • Instruction Fuzzy Hash: AB411C74E00208CFDB18DFA5E9849EDBBB6FF88301F108569E905A7269DB389C45DF50
                                                    Function 00F12842 Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1c6da208001743efd5ffefa3cf26806dd96036569e93c0b1121a1a64e18e2e28
                                                    • Instruction ID: f360ca58d4dc98104e26640d01023211f80e7ceb3d810a13ed3671358a9d5943
                                                    • Opcode Fuzzy Hash: 1c6da208001743efd5ffefa3cf26806dd96036569e93c0b1121a1a64e18e2e28
                                                    • Instruction Fuzzy Hash: 9D413D70E10208DFDB18DFE5E984AEDBBB6EF88310F104529D901A7269EB389885DF50
                                                    Function 00F15308 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 72e6fd3f616dd83538c42b56ba343ad5f3d14406dac3ae5d3651f295b083e001
                                                    • Instruction ID: ffa7a68ca5b49d341484d99b9914f290933e6c1f05b5485557791e913ae999cc
                                                    • Opcode Fuzzy Hash: 72e6fd3f616dd83538c42b56ba343ad5f3d14406dac3ae5d3651f295b083e001
                                                    • Instruction Fuzzy Hash: E341F834A01614DFCB04EFA5E8949EDBBB3FF88715F248069E806A7364DB349D92DB50
                                                    Function 00F12C48 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d9190d14e34505d52d768bc0c92af88bd1ba595e54645b7fa97285244da13c6b
                                                    • Instruction ID: 1a98912245a19061bc4e7572befbcb8e25ffcbf21506bc249f37d1f84183d6d3
                                                    • Opcode Fuzzy Hash: d9190d14e34505d52d768bc0c92af88bd1ba595e54645b7fa97285244da13c6b
                                                    • Instruction Fuzzy Hash: C3415C74A0020ACFDB15EFA4E984AEE7BB5FF48310F1081A5E505A7369DB34AD55CF90
                                                    Function 00F12C58 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d28e9520ece87474666a46b71e14204f349e20b8c470086c0f8be7cbea99707f
                                                    • Instruction ID: 386f15713fbface55ed33742bc008a119028ef91296ddf842ddf61b66249085d
                                                    • Opcode Fuzzy Hash: d28e9520ece87474666a46b71e14204f349e20b8c470086c0f8be7cbea99707f
                                                    • Instruction Fuzzy Hash: 0C310874A0020ACFCB14EFA5E585AEE7BB6FF58310F1081A5E505A7369DB349951CF90
                                                    Function 00F1288D Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 114cd18896dbe77c5fbd3b1fc69d7b0c6a2f5b79f384f49fa08daf150aac0702
                                                    • Instruction ID: 59a028f25435a6b4bb58e685114b86ebd2b367d15e8bf0d753f2313df0315c0e
                                                    • Opcode Fuzzy Hash: 114cd18896dbe77c5fbd3b1fc69d7b0c6a2f5b79f384f49fa08daf150aac0702
                                                    • Instruction Fuzzy Hash: 3A310D74E00208CFDB58DFE5E584AECBBB6FF88311F10916AD901A7269DB389C95DB10
                                                    Function 00F14B70 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6fa93236b6f4c426f7cd83641547429d8694ccf122d53294e930a560cb6c07fc
                                                    • Instruction ID: 31ab948c9d3170a5b710e1a30330b83464d6c935c852778452c79c49b02281d1
                                                    • Opcode Fuzzy Hash: 6fa93236b6f4c426f7cd83641547429d8694ccf122d53294e930a560cb6c07fc
                                                    • Instruction Fuzzy Hash: E921E5312043415FD719EB79E990D6E7BAAEF80300B048979E4458B22ADF74ED4DCB90
                                                    Function 00F14B80 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4b16daa4087df1d24dd1d9864b983ef45664b706ea6a6490d2869345a3701c05
                                                    • Instruction ID: 2cb1f07d9deb4f93dabceddf9c32a08edd509064fc8abeaef2bc80e6388c8ec2
                                                    • Opcode Fuzzy Hash: 4b16daa4087df1d24dd1d9864b983ef45664b706ea6a6490d2869345a3701c05
                                                    • Instruction Fuzzy Hash: 5821A1312007055FD718EB79E991E6E77AEEF80350B008A39E4458B229DF74FD498B94
                                                    Function 00F14237 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65085d4eeb24bfafa97465d88cdfb473090a5bf1d75226521f63c21edd213346
                                                    • Instruction ID: e7347a30f6054f94f73f7375ecc2340ec46d37a2a38c030593612451af98925d
                                                    • Opcode Fuzzy Hash: 65085d4eeb24bfafa97465d88cdfb473090a5bf1d75226521f63c21edd213346
                                                    • Instruction Fuzzy Hash: A01129323042041FE70CA769A85197E379BEFC4650754443AE449DB245CF35BD858795
                                                    Function 00F16888 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b4932889929308752be486a872069c9b4b05425041ab8927e5cc705391189153
                                                    • Instruction ID: 206b06ebc73aab2f8299669f327b40526821db63569934a4f27ab3dce5241d50
                                                    • Opcode Fuzzy Hash: b4932889929308752be486a872069c9b4b05425041ab8927e5cc705391189153
                                                    • Instruction Fuzzy Hash: DD21B171D00205CFDB10DBA5CA497EEBBF1AF44325F508069D009FB291DB759E85EBA2
                                                    Function 00F12908 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48d01264f72ef6c47c010b82448218b74ecc8aeec275d54df94e7f3b715ef109
                                                    • Instruction ID: 44119d17bce79ea21cf1923b7c444388110b4c2c5cd78a5174b690da57d27165
                                                    • Opcode Fuzzy Hash: 48d01264f72ef6c47c010b82448218b74ecc8aeec275d54df94e7f3b715ef109
                                                    • Instruction Fuzzy Hash: 7821FC74E00108DFDB14DFE9D9809EDBBB6FF88300F10812AD91567268DB389855DF51
                                                    Function 00F15C59 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b924830e473d46b3952bcc00bd272b54e029ac6b7e8318fb320280d1ee949d3e
                                                    • Instruction ID: 026dfea56d9d6872a089e3ae291b13a7bd1d665d98e81893260e4fe8b5695f66
                                                    • Opcode Fuzzy Hash: b924830e473d46b3952bcc00bd272b54e029ac6b7e8318fb320280d1ee949d3e
                                                    • Instruction Fuzzy Hash: 53215671E00219CFDF04CBA9D998ADDBBF1AF88710F2000A5D002BB260DB759D85DBA0
                                                    Function 00F15C68 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a456ebcfe6d1dbf98e3d88b0950da08f6391f1a52e61df1383adb6f3be5d38bb
                                                    • Instruction ID: daafd0a432ee54b885efd688f00993382efb6b629a7e354feb720440afcbbbbd
                                                    • Opcode Fuzzy Hash: a456ebcfe6d1dbf98e3d88b0950da08f6391f1a52e61df1383adb6f3be5d38bb
                                                    • Instruction Fuzzy Hash: 9D21F735E00219CFDB14DBA9D598ADDBBF5AF8C720F2000A5D505BB360DB76AD84DBA0
                                                    Function 00F1296A Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a10f9225f55866febc7efbd11e5c90135fadf7d2c29591637e5049d73db86381
                                                    • Instruction ID: 8989367e4e1410e66467c592746cb87cf9379446d01f42a3f577f56fb323e267
                                                    • Opcode Fuzzy Hash: a10f9225f55866febc7efbd11e5c90135fadf7d2c29591637e5049d73db86381
                                                    • Instruction Fuzzy Hash: 4221C674E00208DFDB54DFA8E9809DCBBB6FF88300F20416AE905A7269DB34AD55DF10
                                                    Function 00F141A2 Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a06b56b159d0fe5f1d4b7a93da6ae7b5f65f5a12a34d8fd05e5cff68982cab43
                                                    • Instruction ID: e957e0cb0c45cf93c9443d221721e399ec05bb1b97f9494223ed5c6e45abe3e9
                                                    • Opcode Fuzzy Hash: a06b56b159d0fe5f1d4b7a93da6ae7b5f65f5a12a34d8fd05e5cff68982cab43
                                                    • Instruction Fuzzy Hash: 5401283230C3845FE70967796C714BE3FAADF8615076404ABE945E7343CE25AD068366
                                                    Function 00F132E0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 684219d75b4c0f4886a6cb12372aa38a7d0f2e5c0d34de10eb51f8de5bef23a7
                                                    • Instruction ID: 6dc068ec63695f9a25824d6e9a495199e76c08f367cc16792d8a29616d747212
                                                    • Opcode Fuzzy Hash: 684219d75b4c0f4886a6cb12372aa38a7d0f2e5c0d34de10eb51f8de5bef23a7
                                                    • Instruction Fuzzy Hash: 5D113C34A003448FDB88EBB9E8597ED7BBAEB88302F004429D446D724AEB3D5C55DB51
                                                    Function 00F12A80 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7fd37879d03f21c334619ae5b057ac5252b07a5e2d0597c65f213a9de5696b0e
                                                    • Instruction ID: 223e261cac17a2b322dc716f901316f9a5de89da2dc9428b667697235b5347c3
                                                    • Opcode Fuzzy Hash: 7fd37879d03f21c334619ae5b057ac5252b07a5e2d0597c65f213a9de5696b0e
                                                    • Instruction Fuzzy Hash: C40196316103048FC701AB78D5458AB7BE6EF4161430489BAE28ADF362DB31EC088FC1
                                                    Function 00F15940 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0150282638cc5708848f048aae35522684410a1619d88650dddaadb7138b083e
                                                    • Instruction ID: c1cf21f185354c5322e56d5d7f0d044e1d52111fa747b80e2046ef876c0d2686
                                                    • Opcode Fuzzy Hash: 0150282638cc5708848f048aae35522684410a1619d88650dddaadb7138b083e
                                                    • Instruction Fuzzy Hash: 3301A9763002108F9754AB6AE894C6DB7AAEBD9676310857AFA05C7315CE31DC4187A0
                                                    Function 00F15931 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c37d9d93d675f62203b74c9175a1934d01da7bd19cada955b0f3ea5edeadec52
                                                    • Instruction ID: a4e8b667f461e88c44ca622b7f5772ef946e45298bceaae2bdcde58ab36dec73
                                                    • Opcode Fuzzy Hash: c37d9d93d675f62203b74c9175a1934d01da7bd19cada955b0f3ea5edeadec52
                                                    • Instruction Fuzzy Hash: 2CF02872301300CFC7559B36D894C59BBBAEFDA67636080ABE505CB312DA30DC41C7A1
                                                    Function 00F132F0 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ed19421d2a542a720d65ef0e93e4da0320159afffc9ad9ad12d338f3f2b15ee0
                                                    • Instruction ID: 4bd26794185ad93e903c9466faa107c0880bb73bb7043e96373217c7c026a25d
                                                    • Opcode Fuzzy Hash: ed19421d2a542a720d65ef0e93e4da0320159afffc9ad9ad12d338f3f2b15ee0
                                                    • Instruction Fuzzy Hash: A0010C34A10344CBDB88EBB5E46879E7BFAEB88302F008469D54297389EF395C65DB51
                                                    Function 00F16388 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 717caa20e6a41f5a0b7800fdc610a9928531934f1e8db0478ca4b54fd215361d
                                                    • Instruction ID: 00fb15f7063e87f133e117a0f93824fc4abb4d6d90cf7f7a262ec1baef7061dc
                                                    • Opcode Fuzzy Hash: 717caa20e6a41f5a0b7800fdc610a9928531934f1e8db0478ca4b54fd215361d
                                                    • Instruction Fuzzy Hash: DC012D34D04208DFDB04EFB4A9568AC7BB5EF95308F1080A9E449E7256DA30AE04DB52
                                                    Function 00F12A90 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: afb40cad9074271e9ae04b3e804820c09621c2803a31d6801ee27fd6833bf4db
                                                    • Instruction ID: a32c61f5b2af976c09e47f318f3bd4395790a0d73272d4d2d2a7cc30057224fa
                                                    • Opcode Fuzzy Hash: afb40cad9074271e9ae04b3e804820c09621c2803a31d6801ee27fd6833bf4db
                                                    • Instruction Fuzzy Hash: 0AF046316106048FC714ABB8D54589B7BE6EF8471471089AAE18ADF326EF71ED048BC1
                                                    Function 00F16398 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 181966e7cdd0ae693361d902017878e1327bc75d3a10be798e7678bddc6f9128
                                                    • Instruction ID: 3822d9a1b83874ff012bcf2040a1f2237428b41282fe446fcdcd8ac04aab0286
                                                    • Opcode Fuzzy Hash: 181966e7cdd0ae693361d902017878e1327bc75d3a10be798e7678bddc6f9128
                                                    • Instruction Fuzzy Hash: CEF08230E0020CEF8B04EFB8E9469ADBBB5EF84204F1081A9E809E7255EE306F04DB51
                                                    Function 00F11FF8 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e0443dbaac0a90e6d9c65c519126f05f5661c0421409f77bbd75c469cf6b4228
                                                    • Instruction ID: d942745c58b678c5098322193e918b9a48d49f8086ac472322412c6758e99613
                                                    • Opcode Fuzzy Hash: e0443dbaac0a90e6d9c65c519126f05f5661c0421409f77bbd75c469cf6b4228
                                                    • Instruction Fuzzy Hash: 32E012357052814FCB065679A4588997FA9DFC651530504FFE00AC7366C9248C098B52
                                                    Function 00F12D9A Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee9c95f575ceff054cfca941b8e6be040b164560aa6add8948c0e80d0d20b02b
                                                    • Instruction ID: e50a0041b4532eb9b856c0b8b754d209f7061ddd6294410222f77a64c5d32b2d
                                                    • Opcode Fuzzy Hash: ee9c95f575ceff054cfca941b8e6be040b164560aa6add8948c0e80d0d20b02b
                                                    • Instruction Fuzzy Hash: 3FF01C76A10018CF8B84EFA895056ED7BF0AF48311B1040A9D519E3312EB709A118B91
                                                    Function 00F12DA0 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 25bc864366734bd95ddb47de1c31b2372b265307f9043dfc53169c9cad78a781
                                                    • Instruction ID: 2c2427949f28740eee501f103eab0569227f91108e611990a2f196671e28c239
                                                    • Opcode Fuzzy Hash: 25bc864366734bd95ddb47de1c31b2372b265307f9043dfc53169c9cad78a781
                                                    • Instruction Fuzzy Hash: EFE0ED71E10118CF8B84EFBDD9056DE7BF5EF48311B2140A9E619E7311EB709E118B91
                                                    Function 00F12008 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7dbdaefff6c98ec1517b3e99c95aca88d4b2a57dd14abfddfe7bcf0085ea2388
                                                    • Instruction ID: fd239e3bfac4721ea03d33922b647830773f4683844de6a0f068b4ef9264e37a
                                                    • Opcode Fuzzy Hash: 7dbdaefff6c98ec1517b3e99c95aca88d4b2a57dd14abfddfe7bcf0085ea2388
                                                    • Instruction Fuzzy Hash: 21D017357002148FCB18AABEE41889A77EEEFC966230104AAE50AC7325DE75DC0187A2
                                                    Function 00F166C8 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 37458001e8687b96ecd91256d4f681cca083fa4d59c2ccef8e62d8485858727f
                                                    • Instruction ID: 208d33930671c897c39c666debf888e27fe3cb903b04244127e4a1fe088422a0
                                                    • Opcode Fuzzy Hash: 37458001e8687b96ecd91256d4f681cca083fa4d59c2ccef8e62d8485858727f
                                                    • Instruction Fuzzy Hash: 4ED09722B082A04B8B01231C38048A91FAACBC66B331A01FBF144EB30BCC004E0593D2
                                                    Function 00F16469 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2c58fae3ddbce0cb4b75cbd339d804151aac1a9f4ab1ac253e3a5e9814df0e90
                                                    • Instruction ID: c53106ff66e533ad5b76933239b7cb95690d12c6f6b63644e740ca821f2650eb
                                                    • Opcode Fuzzy Hash: 2c58fae3ddbce0cb4b75cbd339d804151aac1a9f4ab1ac253e3a5e9814df0e90
                                                    • Instruction Fuzzy Hash: 6ED02EB8B483008FC304EB28E08192033BEEB9C314B0000F1F209C7336C824EC828328
                                                    Function 00F15631 Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4d185dad6d9949011012bfdb3c1f9c4c176500f528fe633cd2cd4692e411ee82
                                                    • Instruction ID: 42c0a465b11eb6ac30e9856d6dc28ce8be28585740e4548002cf1a672d27ad5a
                                                    • Opcode Fuzzy Hash: 4d185dad6d9949011012bfdb3c1f9c4c176500f528fe633cd2cd4692e411ee82
                                                    • Instruction Fuzzy Hash: FCD02220414705AFF3020925AC4A1D03B3CEF4262831001E1E80CC2003A92FD84B4B80
                                                    Function 00F16478 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000017.00000002.3486660918.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_23_2_f10000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb16ea569d0d4fdcf016562d0c7bdfa845cfa79fc9ab07160da8aeca97c0d13a
                                                    • Instruction ID: 5c92e1da3cbba717e24c682e81c1235fe7771c233b4e77a4f3591477d500f593
                                                    • Opcode Fuzzy Hash: bb16ea569d0d4fdcf016562d0c7bdfa845cfa79fc9ab07160da8aeca97c0d13a
                                                    • Instruction Fuzzy Hash: 2DC012347402044F8208EB6CD041C1573EAFB8C71471040A4F50DC7339CD20FC41C618

                                                    Executed Functions

                                                    Function 00B34F58 Relevance: 10.6, Strings: 8, Instructions: 595COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq$(aq$(aq$(aq$(aq$(aq$(aq$(aq
                                                    • API String ID: 0-2413629574
                                                    • Opcode ID: f89a56389186565df56e99a7d323fc82254d6da8a35c69058761757a5171c2e8
                                                    • Instruction ID: 0e5fd5dfca53e5205d1388b57a12fa441156d041b61941dc2fefa09d239047da
                                                    • Opcode Fuzzy Hash: f89a56389186565df56e99a7d323fc82254d6da8a35c69058761757a5171c2e8
                                                    • Instruction Fuzzy Hash: AC229E74B006158FDB18DF68D4946AEBBF2EF88311F2580A9D406E73A5DF34AD42CB91
                                                    Function 00B31049 Relevance: .8, Instructions: 840COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 78118b4dca8f30eca05e9b6ba2bb7bcbd40522fbe9a53817cfa8f312a90973a9
                                                    • Instruction ID: d542d3b8deb8c65bc252f59899e4ea23eee9bb5a5ce39b6d0daee56e341a11ea
                                                    • Opcode Fuzzy Hash: 78118b4dca8f30eca05e9b6ba2bb7bcbd40522fbe9a53817cfa8f312a90973a9
                                                    • Instruction Fuzzy Hash: 0F82D6B4640209DFDB06EBA5E654B6E7B7BEF88301F108414E801237AECB3D6D55DB26
                                                    Function 00B32B20 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: f88ad62640a9474ec057a64db99a4449f750d6199751468df2d33de4c314ea88
                                                    • Instruction ID: 7a06f99db774ba711b5d3740ba9c7564e0c9343f56e5cd35d2fb73709f549bec
                                                    • Opcode Fuzzy Hash: f88ad62640a9474ec057a64db99a4449f750d6199751468df2d33de4c314ea88
                                                    • Instruction Fuzzy Hash: 9031EA357102158FD709EB39D458A6E73B2EFCAA197208168D10A8B3A4DE39DC438B96
                                                    Function 00B32B10 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: f093986ef811257e33cccdcb0d0616402fdd9bb990de4346e4d5d056c39d2da8
                                                    • Instruction ID: 1e98e39db5810aa65aa630a4ce9781db947cb5c5539a50e11666533098cd914a
                                                    • Opcode Fuzzy Hash: f093986ef811257e33cccdcb0d0616402fdd9bb990de4346e4d5d056c39d2da8
                                                    • Instruction Fuzzy Hash: A1314C35B402158FD709AB38D45465E33B3EF8AA097208478D24ACB3A4DF39DC43CB96
                                                    Function 00B34248 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (aq
                                                    • API String ID: 0-600464949
                                                    • Opcode ID: f6b06840fffb8991f00dc904ed5595cf4a1d4f32266e054a34e725b434c8d973
                                                    • Instruction ID: 9590d56de482ef3c912c2a2f158b3374cb3f42b4a670b34cbc2f79b656639661
                                                    • Opcode Fuzzy Hash: f6b06840fffb8991f00dc904ed5595cf4a1d4f32266e054a34e725b434c8d973
                                                    • Instruction Fuzzy Hash: B10128727082400FD70A977D681457E3B97DFC261075844EEE486DB356CE68ED46C3D6
                                                    Function 00B31058 Relevance: .8, Instructions: 835COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e505f9469a80cede5a3b0090bba336ea06886409dbfd121fb38f90b2bbeca21d
                                                    • Instruction ID: 5108d948e2b463a1375f76b2e5ac0f23e9ea894bc01d65b7674f9ddc2468243d
                                                    • Opcode Fuzzy Hash: e505f9469a80cede5a3b0090bba336ea06886409dbfd121fb38f90b2bbeca21d
                                                    • Instruction Fuzzy Hash: 2A82D6B4640209DFDB06EBA5E654B6E7B7BEF88301F108414E801237AECB3D6D55DB26
                                                    Function 00B3B0B0 Relevance: .7, Instructions: 680COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 714db03a958fdb05634b27b5b6dfe487ac5a99db345780b4b5a2a46b4b796c35
                                                    • Instruction ID: 3116ae653e70c87843b0572c08b0e841d40f31b974d73640e5722b21ce8ad8ef
                                                    • Opcode Fuzzy Hash: 714db03a958fdb05634b27b5b6dfe487ac5a99db345780b4b5a2a46b4b796c35
                                                    • Instruction Fuzzy Hash: 76523938A01200CFD729EF74E598A6977B2FF84306B6484A9D5168B3A9DB39DC42CF41
                                                    Function 00B32850 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bc8f956e6393aa329d2919c33a6b53c32055481a80a7e99b8bcb05fd772634de
                                                    • Instruction ID: 55c73db3f94f0ac70d2b68bfc3e3f0ae4d9ba29a04ee0c57bc4ea4fc134731e0
                                                    • Opcode Fuzzy Hash: bc8f956e6393aa329d2919c33a6b53c32055481a80a7e99b8bcb05fd772634de
                                                    • Instruction Fuzzy Hash: A941FB75E00208CFDB18EFA5D984AADBBF6FF88301F208569D505A7264DB399C45CF50
                                                    Function 00B32842 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d0214b6d055ca14f3eaca97afd8cea58052d57fb244775f569a4c6d5c0756d8a
                                                    • Instruction ID: d0f29f973a219c9cf0ed05ea98d1e1b0d714c11a4db6e3550eaa389bb9fa3426
                                                    • Opcode Fuzzy Hash: d0214b6d055ca14f3eaca97afd8cea58052d57fb244775f569a4c6d5c0756d8a
                                                    • Instruction Fuzzy Hash: E8313BB4E00208DFEB19DFA5D984AADBBF6FF88301F208579D501A7264DB399845CF20
                                                    Function 00B3B0A0 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 026a8fd7c67dd8993706e4d887d26ed0508b892987008763d302af8232323773
                                                    • Instruction ID: 09147d31354ed67ee8730de51eee3c065a44a01f2fda3f68711f67f00a1809c3
                                                    • Opcode Fuzzy Hash: 026a8fd7c67dd8993706e4d887d26ed0508b892987008763d302af8232323773
                                                    • Instruction Fuzzy Hash: 9C31E430B002059FDB14EB78E894A9DBBE6FF84304F14852DD116AB3A5DF74AD0ACB81
                                                    Function 00B32C48 Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e714a0dffbdaad9efc445e70c42b0ab85dad4c3a6be3fdec611af55fc7eb8211
                                                    • Instruction ID: e8d402278dafea4fb340feb6662d7f14341d95ca88ac9962e2afeffa02dd3852
                                                    • Opcode Fuzzy Hash: e714a0dffbdaad9efc445e70c42b0ab85dad4c3a6be3fdec611af55fc7eb8211
                                                    • Instruction Fuzzy Hash: D13130B490020ACFDB45EF64E584AED7BB6FF48305F108165D501A7368EB789D41CF91
                                                    Function 00B32C58 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b14530dd3b1689effcc0f76f2fb93c81e964c1e47c419c08f81eadeff0261a06
                                                    • Instruction ID: 15640b8772e58760dfac4bf244c2008d2796c62b8f83b9e2f3e99261d7bea000
                                                    • Opcode Fuzzy Hash: b14530dd3b1689effcc0f76f2fb93c81e964c1e47c419c08f81eadeff0261a06
                                                    • Instruction Fuzzy Hash: 25313E7490020ACFDB44EFA8D584AEEBBB6FF48311F108165D901A7368EB78AD41CF91
                                                    Function 00B3288D Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ebb7792f6f5841b9b8a83b0f881eefa3a5a082d34daef4a364d92d5e206e91aa
                                                    • Instruction ID: dbbc423dd06e1eead040082d21248b23596228ea5eb1bb891a863369654f470c
                                                    • Opcode Fuzzy Hash: ebb7792f6f5841b9b8a83b0f881eefa3a5a082d34daef4a364d92d5e206e91aa
                                                    • Instruction Fuzzy Hash: 6731FC74E10208DFEB18DFA5E984AACBBF6FF88301F248169D501A7268DB399C45CF10
                                                    Function 00B34B50 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0340902b40aa33f103b104dda6b5d3a35a455607c3a1a74aef85c2286a07331b
                                                    • Instruction ID: 0fe294c2080b8f288018cdbee8a46efa3a7245cd28a3d3accf8e2a8585175335
                                                    • Opcode Fuzzy Hash: 0340902b40aa33f103b104dda6b5d3a35a455607c3a1a74aef85c2286a07331b
                                                    • Instruction Fuzzy Hash: 9521B5712043415FD709EF78E980A5DBBAAEF80310B048979D0468F26ADB78E949C795
                                                    Function 00B34B80 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88baca1492325400ad6271608bea3fb7a5cde7258bd2699262ba1e56fb3098ca
                                                    • Instruction ID: 4a50b3720a04f1fa88319c6f10885ff1e932ea6f4ec4aecff220f58ff1a42e57
                                                    • Opcode Fuzzy Hash: 88baca1492325400ad6271608bea3fb7a5cde7258bd2699262ba1e56fb3098ca
                                                    • Instruction Fuzzy Hash: 072184312002015FD718EB79E980E5EB7AEEFC0310B048A39D4068B769DF74FD498795
                                                    Function 00B32908 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e0be128092cae19d84189693351171314aa8fadc34595f7b1751733c42139b0e
                                                    • Instruction ID: d01ae1ab4307b589edd898c63b33934d17107640c27aa00074d292172f4cd3aa
                                                    • Opcode Fuzzy Hash: e0be128092cae19d84189693351171314aa8fadc34595f7b1751733c42139b0e
                                                    • Instruction Fuzzy Hash: EF21FC74E10208DFDF18DFA9D980AADBBB6FF88301F108165D91567268DB799845CF21
                                                    Function 00B36889 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 836e808d83c57a61d13b538558cc5f5789e607cbb20bea14f66e2c542db57a8c
                                                    • Instruction ID: cb10266da679b4da60fc18a167dca2ab5a3f46aa05c67214bea77c46408d02dd
                                                    • Opcode Fuzzy Hash: 836e808d83c57a61d13b538558cc5f5789e607cbb20bea14f66e2c542db57a8c
                                                    • Instruction Fuzzy Hash: FF217271D00105DFDB10DBA4C9497EEBBF1EB49304F30C1A9D005A7251DB754E06CB51
                                                    Function 00B3296A Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 77702dd1647bc6364e901e2d9ba8cfefb04dddf076bb6d044bde53b4306c9abc
                                                    • Instruction ID: b901049a70b9f58ffd00504c98748b3df25fe6f70614305749ae732f3a4c8d45
                                                    • Opcode Fuzzy Hash: 77702dd1647bc6364e901e2d9ba8cfefb04dddf076bb6d044bde53b4306c9abc
                                                    • Instruction Fuzzy Hash: 7321A874E00208DFDB18DFA8D984AACBBB6FF88301F204169D905A7368DB39AD45CF51
                                                    Function 00B341A2 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a1b89561fb8486bccac89f40f4a977d9c2f26f3a0d727be18a98031c8d1e802
                                                    • Instruction ID: d12f226f65c5fcb842933c7bd8ca5f93f4ac20c3bb08d8d90bfa1cec9e29c257
                                                    • Opcode Fuzzy Hash: 2a1b89561fb8486bccac89f40f4a977d9c2f26f3a0d727be18a98031c8d1e802
                                                    • Instruction Fuzzy Hash: F90142323093814FE70A2B3098601AD3FA7EF82210768049BC446EB397CE259D0AC366
                                                    Function 00B34237 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c16d05cbffeb062ced699c5dcc94722bc4a2c8b73cd7014c1f91664e8e75e0d
                                                    • Instruction ID: 0c1101bf8460d4bb50d7af433fe788b7e2ada6de1500f6e25fcc7fa13e2e6221
                                                    • Opcode Fuzzy Hash: 3c16d05cbffeb062ced699c5dcc94722bc4a2c8b73cd7014c1f91664e8e75e0d
                                                    • Instruction Fuzzy Hash: B3F0ACF76446012BDB0A6B64E9501693FA3EFC2390BA41AB6C5858F65ACF35484BC385
                                                    Function 00B32A80 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 61d34f1836b16d9927c4da221b1d5f2df77f335d94b2ecc6af144247928ac7e4
                                                    • Instruction ID: d87b44eac01e3694234596096616862e34241d6ff12d40c94fe9171810bfdce5
                                                    • Opcode Fuzzy Hash: 61d34f1836b16d9927c4da221b1d5f2df77f335d94b2ecc6af144247928ac7e4
                                                    • Instruction Fuzzy Hash: F80178B66107008FC712EF68D54488B7BE2EF4531471089AAD29ACF325EB35EC048B82
                                                    Function 00B32A90 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cda78061a63d1f5af848165ceeb0f97afac33af971120d0bc0a0ca787ae303d2
                                                    • Instruction ID: 234a2734e2a81c05dc9f5aabf17f47f1be124067a67a2c7e25a2812271ff288e
                                                    • Opcode Fuzzy Hash: cda78061a63d1f5af848165ceeb0f97afac33af971120d0bc0a0ca787ae303d2
                                                    • Instruction Fuzzy Hash: 2FF069726107008FC715EB79C54984B7BE6EF8571471089AAE29ADF325EB35EC048BC2
                                                    Function 00B341E0 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d34e771cdb25ef59d43c78227ced84a7d0510ce21c0918b6b4e727c5564e9621
                                                    • Instruction ID: 9db0f5366a7d1f3aff78b8cc28384f25c486c31a28c90cfd66a288a3dce0d125
                                                    • Opcode Fuzzy Hash: d34e771cdb25ef59d43c78227ced84a7d0510ce21c0918b6b4e727c5564e9621
                                                    • Instruction Fuzzy Hash: 5CE02B727041052FAB08A7AA7C5197F76DFEBC9260754082EF10AD7300CF316D0147A6
                                                    Function 00B36390 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a94f6cb235decfef8c9c191240970b5b2e77581170e16022e36131396877930
                                                    • Instruction ID: c42955b9162b9d6738d535feca4ab05058e00be297867efcdc213c2eb565123e
                                                    • Opcode Fuzzy Hash: 8a94f6cb235decfef8c9c191240970b5b2e77581170e16022e36131396877930
                                                    • Instruction Fuzzy Hash: C6F05474A00208EFDF44EFB4D54159D7BB2DF85200F1041A9E40AA7340DA309F05DB51
                                                    Function 00B36398 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ef007545c876f2be6783a6eb27efe6fd26cf151648602093c0f2df1da91c6274
                                                    • Instruction ID: c4791a6ffbd11ad2a08edf90a93ff4ccead911f185715a82414b1f09252d5cac
                                                    • Opcode Fuzzy Hash: ef007545c876f2be6783a6eb27efe6fd26cf151648602093c0f2df1da91c6274
                                                    • Instruction Fuzzy Hash: 22F03774E00209EFDF44EFB8D54159D7BF6EF85204F1041A9A80AE7344DA306F05DB51
                                                    Function 00B32DA0 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7481e3d20f399ae5ed43a594f62f107bac8657fbffa2866e0489f7a125147cc4
                                                    • Instruction ID: 036983a38fcc0ca373a65b4da84b93bf20eebe26465987f5482d27e8d6c0d20c
                                                    • Opcode Fuzzy Hash: 7481e3d20f399ae5ed43a594f62f107bac8657fbffa2866e0489f7a125147cc4
                                                    • Instruction Fuzzy Hash: 79E06D71E101188F8B84EFBDC9056DE7BF5EF48310B2040BAD619E3301EB709E008B91
                                                    Function 00B32D92 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 41cea3ef87baa84bcfda09d9d33f243983cdfd57b2d867cf6cad82375784f486
                                                    • Instruction ID: 5eb0fd3ed0ce88cd58bb89534dc600fee9ebfab87841927dc6eb3b9763a4bb54
                                                    • Opcode Fuzzy Hash: 41cea3ef87baa84bcfda09d9d33f243983cdfd57b2d867cf6cad82375784f486
                                                    • Instruction Fuzzy Hash: BAF030B6E10115CFAB95DFA8E5446DD7FF2EB48300B2040E9D219E7361DB745E018B45
                                                    Function 00B32008 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f6296699d94b16943f19110c3837776ae483d599ff5014ea2592e61177bfd994
                                                    • Instruction ID: a7caa3b3e6f75e9533a566121772552f1541e83f76a538f92b9ac517b41b7122
                                                    • Opcode Fuzzy Hash: f6296699d94b16943f19110c3837776ae483d599ff5014ea2592e61177bfd994
                                                    • Instruction Fuzzy Hash: 4FD017397402148FCB146ABEE41C95A7BEEEFC966231104AAE60AC7360DE75DC0187A1
                                                    Function 00B3646B Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 04d70f7871a2339e6a47265414c14de164497470aca77f282f82f5bcb90586d4
                                                    • Instruction ID: 766de3796569dc969a0c5dda348ebeae512c0a9ba4b39bd62991c85ca0ba47d8
                                                    • Opcode Fuzzy Hash: 04d70f7871a2339e6a47265414c14de164497470aca77f282f82f5bcb90586d4
                                                    • Instruction Fuzzy Hash: DEE026B4A052449FC705CB74E2848603B62EB4232831908C9E149CB2B7CA259405CB18
                                                    Function 00B366D3 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fffda9c7e1d0a265ebe45f9919f5c7168eba9de928381cd67d9795c3fc7a89b2
                                                    • Instruction ID: f064ddcadefcafa8a588aa5b2f2e9eb71afce569e530801f79a402622ad94a5e
                                                    • Opcode Fuzzy Hash: fffda9c7e1d0a265ebe45f9919f5c7168eba9de928381cd67d9795c3fc7a89b2
                                                    • Instruction Fuzzy Hash: BDC08C37300030171A04216C35400FD13CBC6C99A238901BBF206E7306CD548E0383C2
                                                    Function 00B32017 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f69bdc6afce36e0856d3181df5c311830b1596ab27f3f2c478ed09e365b2a0f
                                                    • Instruction ID: 9054196de8ff6e00f9675b53fcce74eab285c6ddc7a2e9119098d0c5f242f59b
                                                    • Opcode Fuzzy Hash: 5f69bdc6afce36e0856d3181df5c311830b1596ab27f3f2c478ed09e365b2a0f
                                                    • Instruction Fuzzy Hash: D1C0027D7401008FCB046BB9E15C5597BA5EFC425635104A5F606C7771DE35DC558A20
                                                    Function 00B36478 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000024.00000002.3574581505.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_36_2_b30000_Pinball.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fa96bc0b2440a6231231004c3755529c543a0616294c022741fd1a94aa7972a1
                                                    • Instruction ID: 44e965d62738342bc5a56dac59a5acd8ad433cdfb91ac53064b8a07c7e754ebc
                                                    • Opcode Fuzzy Hash: fa96bc0b2440a6231231004c3755529c543a0616294c022741fd1a94aa7972a1
                                                    • Instruction Fuzzy Hash: 15C012747442044F8208EB5CD044C1573EAEB8C71471040A4E609C7339CD20FC41C658