c60c7061f20c6cf9645da0ebf22b143913038a93d9358c2693430e1925d6114b

Resubmissions

17/04/2024, 09:27

240417-levmkaah66 8

16/04/2024, 15:27

240416-svq3msde45 8

Analysis

max time kernel
1800s
max time network
1771s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 09:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e00b253eda798487f5fef2ef25164fd8.exe
Size

126KB
MD5

e00b253eda798487f5fef2ef25164fd8
SHA1

cf2c21c845f16ed144487e9f86d8b5ba8376008b
SHA256

c60c7061f20c6cf9645da0ebf22b143913038a93d9358c2693430e1925d6114b
SHA512

bd3dd458dfe3cc38c3ac24a53bf96f7362052fedda39df8aa13ce41a250ce27ecd55068898d4c21e1622f7542891b82adc1b2d884684bf080080bfded7f17d13
SSDEEP

1536:duokBZMKvOsg8ISIv47rz0D+/R/Av3coL6+9D8rbBuS7BeAXJ6xkRQsN5xgSF:RkBGWOsTIJgIDU5A/coLx9DoBRe/xK1F

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

pid	Process
2736	setup.exe
1448	Pinball.exe
1644	Pinball.exe
2432	Pinball.exe
1708	Pinball.exe
2184	Pinball.exe
1968	Pinball.exe
1720	Pinball.exe
2816	Pinball.exe
2960	Pinball.exe
1768	Pinball.exe
2116	Pinball.exe
1940	Pinball.exe
836	Pinball.exe
1496	Pinball.exe
2228	Pinball.exe
1868	Pinball.exe
2200	Pinball.exe
2596	Pinball.exe
776	Pinball.exe
2028	Pinball.exe
1664	Pinball.exe
2540	Pinball.exe
2096	Pinball.exe
2996	Pinball.exe
1356	Pinball.exe
1644	Pinball.exe
1208	Pinball.exe
828	Pinball.exe
2780	Pinball.exe
1028	Pinball.exe
2768	Pinball.exe
552	Pinball.exe
1520	Pinball.exe
2152	Pinball.exe
1232	Pinball.exe
1980	Pinball.exe
2036	Pinball.exe
2508	Pinball.exe
2920	Pinball.exe
2488	Pinball.exe
1404	Pinball.exe
2944	Pinball.exe
2704	Pinball.exe
3020	Pinball.exe
3004	Pinball.exe
1752	Pinball.exe
1208	Pinball.exe
1792	Pinball.exe
756	Pinball.exe
1956	Pinball.exe
572	Pinball.exe
2640	Pinball.exe
1044	Pinball.exe
2548	Pinball.exe
1716	Pinball.exe
2476	Pinball.exe
2216	Pinball.exe
2736	Pinball.exe
2392	Pinball.exe
2544	Pinball.exe
2080	Pinball.exe
2000	Pinball.exe
2900	Pinball.exe

Loads dropped DLL 64 IoCs

pid	Process
2976	e00b253eda798487f5fef2ef25164fd8.exe
2976	e00b253eda798487f5fef2ef25164fd8.exe
2976	e00b253eda798487f5fef2ef25164fd8.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
2432	Pinball.exe
2432	Pinball.exe
2432	Pinball.exe
2432	Pinball.exe
2432	Pinball.exe
2432	Pinball.exe
1708	Pinball.exe
1708	Pinball.exe
1708	Pinball.exe
1708	Pinball.exe
1708	Pinball.exe
1708	Pinball.exe
2184	Pinball.exe
2184	Pinball.exe
2184	Pinball.exe
2184	Pinball.exe
2184	Pinball.exe
2184	Pinball.exe
1968	Pinball.exe
1968	Pinball.exe
1968	Pinball.exe
1968	Pinball.exe
1968	Pinball.exe
1968	Pinball.exe
1720	Pinball.exe
1720	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
2816	Pinball.exe
2816	Pinball.exe
2816	Pinball.exe
2816	Pinball.exe
2816	Pinball.exe
2816	Pinball.exe
2960	Pinball.exe
2960	Pinball.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pinball = "C:\\Users\\Admin\\AppData\\Roaming\\Pinball\\Pinball.exe"	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000015136-13.dat	nsis_installer_1
behavioral1/files/0x0007000000015136-13.dat	nsis_installer_2
behavioral1/files/0x0005000000019c8d-115.dat	nsis_installer_1
behavioral1/files/0x0005000000019c8d-115.dat	nsis_installer_2

Modifies Control Panel 29 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\\\Cursors\\\\aero_arrow.cur"	Pinball.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2976	e00b253eda798487f5fef2ef25164fd8.exe
2976	e00b253eda798487f5fef2ef25164fd8.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1448	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
2816	Pinball.exe
2816	Pinball.exe
2816	Pinball.exe
2816	Pinball.exe
2816	Pinball.exe
2816	Pinball.exe
2816	Pinball.exe
1496	Pinball.exe
1496	Pinball.exe
1496	Pinball.exe
1496	Pinball.exe
1496	Pinball.exe
1496	Pinball.exe
1496	Pinball.exe
2028	Pinball.exe
2028	Pinball.exe
2028	Pinball.exe
2028	Pinball.exe
2028	Pinball.exe
2028	Pinball.exe
2028	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
1644	Pinball.exe
552	Pinball.exe
552	Pinball.exe
552	Pinball.exe
552	Pinball.exe
552	Pinball.exe
552	Pinball.exe
552	Pinball.exe
2508	Pinball.exe
2508	Pinball.exe
2508	Pinball.exe
2508	Pinball.exe
2508	Pinball.exe
2508	Pinball.exe
2508	Pinball.exe
3020	Pinball.exe
3020	Pinball.exe
3020	Pinball.exe
3020	Pinball.exe
3020	Pinball.exe
3020	Pinball.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	Pinball.exe
Token: SeDebugPrivilege	1644	Pinball.exe
Token: SeDebugPrivilege	2432	Pinball.exe
Token: SeDebugPrivilege	1708	Pinball.exe
Token: SeDebugPrivilege	2184	Pinball.exe
Token: SeDebugPrivilege	1968	Pinball.exe
Token: SeDebugPrivilege	2816	Pinball.exe
Token: SeDebugPrivilege	2960	Pinball.exe
Token: SeDebugPrivilege	1768	Pinball.exe
Token: SeDebugPrivilege	2116	Pinball.exe
Token: SeDebugPrivilege	1940	Pinball.exe
Token: SeDebugPrivilege	836	Pinball.exe
Token: SeDebugPrivilege	1496	Pinball.exe
Token: SeDebugPrivilege	2228	Pinball.exe
Token: SeDebugPrivilege	1868	Pinball.exe
Token: SeDebugPrivilege	2200	Pinball.exe
Token: SeDebugPrivilege	2596	Pinball.exe
Token: SeDebugPrivilege	2028	Pinball.exe
Token: SeDebugPrivilege	1664	Pinball.exe
Token: SeDebugPrivilege	2540	Pinball.exe
Token: SeDebugPrivilege	2096	Pinball.exe
Token: SeDebugPrivilege	2996	Pinball.exe
Token: SeDebugPrivilege	1644	Pinball.exe
Token: SeDebugPrivilege	1208	Pinball.exe
Token: SeDebugPrivilege	828	Pinball.exe
Token: SeDebugPrivilege	2780	Pinball.exe
Token: SeDebugPrivilege	1028	Pinball.exe
Token: SeDebugPrivilege	552	Pinball.exe
Token: SeDebugPrivilege	1520	Pinball.exe
Token: SeDebugPrivilege	2152	Pinball.exe
Token: SeDebugPrivilege	1232	Pinball.exe
Token: SeDebugPrivilege	1980	Pinball.exe
Token: SeDebugPrivilege	2508	Pinball.exe
Token: SeDebugPrivilege	2920	Pinball.exe
Token: SeDebugPrivilege	2488	Pinball.exe
Token: SeDebugPrivilege	1404	Pinball.exe
Token: SeDebugPrivilege	2944	Pinball.exe
Token: SeDebugPrivilege	3020	Pinball.exe
Token: SeDebugPrivilege	3004	Pinball.exe
Token: SeDebugPrivilege	1752	Pinball.exe
Token: SeDebugPrivilege	1208	Pinball.exe
Token: SeDebugPrivilege	1792	Pinball.exe
Token: SeDebugPrivilege	756	Pinball.exe
Token: SeDebugPrivilege	1956	Pinball.exe
Token: SeDebugPrivilege	572	Pinball.exe
Token: SeDebugPrivilege	2640	Pinball.exe
Token: SeDebugPrivilege	1044	Pinball.exe
Token: SeDebugPrivilege	2548	Pinball.exe
Token: SeDebugPrivilege	1716	Pinball.exe
Token: SeDebugPrivilege	2476	Pinball.exe
Token: SeDebugPrivilege	2216	Pinball.exe
Token: SeDebugPrivilege	2736	Pinball.exe
Token: SeDebugPrivilege	2392	Pinball.exe
Token: SeDebugPrivilege	2544	Pinball.exe
Token: SeDebugPrivilege	2080	Pinball.exe
Token: SeDebugPrivilege	2000	Pinball.exe
Token: SeDebugPrivilege	2900	Pinball.exe
Token: SeDebugPrivilege	600	Pinball.exe
Token: SeDebugPrivilege	1528	Pinball.exe
Token: SeDebugPrivilege	2380	Pinball.exe
Token: SeDebugPrivilege	3004	Pinball.exe
Token: SeDebugPrivilege	1920	Pinball.exe
Token: SeDebugPrivilege	2324	Pinball.exe
Token: SeDebugPrivilege	2912	Pinball.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2736	2976	e00b253eda798487f5fef2ef25164fd8.exe	29
PID 2976 wrote to memory of 2736	2976	e00b253eda798487f5fef2ef25164fd8.exe	29
PID 2976 wrote to memory of 2736	2976	e00b253eda798487f5fef2ef25164fd8.exe	29
PID 2976 wrote to memory of 2736	2976	e00b253eda798487f5fef2ef25164fd8.exe	29
PID 2976 wrote to memory of 2736	2976	e00b253eda798487f5fef2ef25164fd8.exe	29
PID 2976 wrote to memory of 2736	2976	e00b253eda798487f5fef2ef25164fd8.exe	29
PID 2976 wrote to memory of 2736	2976	e00b253eda798487f5fef2ef25164fd8.exe	29
PID 2736 wrote to memory of 1448	2736	setup.exe	30
PID 2736 wrote to memory of 1448	2736	setup.exe	30
PID 2736 wrote to memory of 1448	2736	setup.exe	30
PID 2736 wrote to memory of 1448	2736	setup.exe	30
PID 1448 wrote to memory of 1644	1448	Pinball.exe	34
PID 1448 wrote to memory of 1644	1448	Pinball.exe	34
PID 1448 wrote to memory of 1644	1448	Pinball.exe	34
PID 1448 wrote to memory of 1644	1448	Pinball.exe	34
PID 1448 wrote to memory of 2432	1448	Pinball.exe	35
PID 1448 wrote to memory of 2432	1448	Pinball.exe	35
PID 1448 wrote to memory of 2432	1448	Pinball.exe	35
PID 1448 wrote to memory of 2432	1448	Pinball.exe	35
PID 1448 wrote to memory of 1708	1448	Pinball.exe	36
PID 1448 wrote to memory of 1708	1448	Pinball.exe	36
PID 1448 wrote to memory of 1708	1448	Pinball.exe	36
PID 1448 wrote to memory of 1708	1448	Pinball.exe	36
PID 1448 wrote to memory of 2184	1448	Pinball.exe	37
PID 1448 wrote to memory of 2184	1448	Pinball.exe	37
PID 1448 wrote to memory of 2184	1448	Pinball.exe	37
PID 1448 wrote to memory of 2184	1448	Pinball.exe	37
PID 1448 wrote to memory of 1968	1448	Pinball.exe	38
PID 1448 wrote to memory of 1968	1448	Pinball.exe	38
PID 1448 wrote to memory of 1968	1448	Pinball.exe	38
PID 1448 wrote to memory of 1968	1448	Pinball.exe	38
PID 1448 wrote to memory of 1720	1448	Pinball.exe	39
PID 1448 wrote to memory of 1720	1448	Pinball.exe	39
PID 1448 wrote to memory of 1720	1448	Pinball.exe	39
PID 1448 wrote to memory of 1720	1448	Pinball.exe	39
PID 1644 wrote to memory of 2816	1644	Pinball.exe	40
PID 1644 wrote to memory of 2816	1644	Pinball.exe	40
PID 1644 wrote to memory of 2816	1644	Pinball.exe	40
PID 1644 wrote to memory of 2816	1644	Pinball.exe	40
PID 1644 wrote to memory of 2960	1644	Pinball.exe	41
PID 1644 wrote to memory of 2960	1644	Pinball.exe	41
PID 1644 wrote to memory of 2960	1644	Pinball.exe	41
PID 1644 wrote to memory of 2960	1644	Pinball.exe	41
PID 1644 wrote to memory of 1768	1644	Pinball.exe	42
PID 1644 wrote to memory of 1768	1644	Pinball.exe	42
PID 1644 wrote to memory of 1768	1644	Pinball.exe	42
PID 1644 wrote to memory of 1768	1644	Pinball.exe	42
PID 1644 wrote to memory of 2116	1644	Pinball.exe	43
PID 1644 wrote to memory of 2116	1644	Pinball.exe	43
PID 1644 wrote to memory of 2116	1644	Pinball.exe	43
PID 1644 wrote to memory of 2116	1644	Pinball.exe	43
PID 1644 wrote to memory of 1940	1644	Pinball.exe	44
PID 1644 wrote to memory of 1940	1644	Pinball.exe	44
PID 1644 wrote to memory of 1940	1644	Pinball.exe	44
PID 1644 wrote to memory of 1940	1644	Pinball.exe	44
PID 1644 wrote to memory of 836	1644	Pinball.exe	45
PID 1644 wrote to memory of 836	1644	Pinball.exe	45
PID 1644 wrote to memory of 836	1644	Pinball.exe	45
PID 1644 wrote to memory of 836	1644	Pinball.exe	45
PID 2816 wrote to memory of 1496	2816	Pinball.exe	46
PID 2816 wrote to memory of 1496	2816	Pinball.exe	46
PID 2816 wrote to memory of 1496	2816	Pinball.exe	46
PID 2816 wrote to memory of 1496	2816	Pinball.exe	46
PID 2816 wrote to memory of 2228	2816	Pinball.exe	47

C:\Users\Admin\AppData\Local\Temp\e00b253eda798487f5fef2ef25164fd8.exe
"C:\Users\Admin\AppData\Local\Temp\e00b253eda798487f5fef2ef25164fd8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
    C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Control Panel
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
      "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Control Panel
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies Control Panel
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        6⤵
        Executes dropped EXE
        Modifies Control Panel
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        7⤵
        Executes dropped EXE
        Modifies Control Panel
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        8⤵
        Executes dropped EXE
        Modifies Control Panel
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        9⤵
        Executes dropped EXE
        Modifies Control Panel
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        10⤵
        Executes dropped EXE
        Modifies Control Panel
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        11⤵
        Executes dropped EXE
        Modifies Control Panel
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        12⤵
        Executes dropped EXE
        Modifies Control Panel
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        13⤵
        Executes dropped EXE
        Modifies Control Panel
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        14⤵
        Executes dropped EXE
        Modifies Control Panel
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        15⤵
        Modifies Control Panel
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        16⤵
        Modifies Control Panel
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        17⤵
        Modifies Control Panel
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        18⤵
        Modifies Control Panel
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        19⤵
        Modifies Control Panel
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        20⤵
        Modifies Control Panel
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        21⤵
        Modifies Control Panel
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        22⤵
        Modifies Control Panel
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        23⤵
        Modifies Control Panel
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        24⤵
        Modifies Control Panel
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        25⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        25⤵
        Modifies Control Panel
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        26⤵
        Modifies Control Panel
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        27⤵
        Modifies Control Panel
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        28⤵
        Modifies Control Panel
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        29⤵
        Modifies Control Panel
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        30⤵
        Modifies Control Panel
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        31⤵
        Modifies Control Panel
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        31⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        31⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        31⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        31⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        31⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        30⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        30⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        30⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        30⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        30⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        29⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        29⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        29⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        29⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        29⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        28⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        28⤵
        
        PID:576
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        28⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        28⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        28⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        27⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        27⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        27⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        27⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        27⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        26⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        26⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        26⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        26⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        26⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        25⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        25⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        25⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        25⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        25⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        25⤵
        
        PID:496
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        25⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        24⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        24⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        24⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        24⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        24⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        23⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        23⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        23⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        23⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        23⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        22⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        22⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        22⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        22⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        22⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        21⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        21⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        21⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        21⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        21⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        20⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        20⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        20⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        20⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        20⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        19⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        19⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        19⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        19⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        19⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        18⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        18⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        18⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        18⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        18⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        17⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        17⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        17⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        17⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        17⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        16⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        16⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        16⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        16⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        16⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        15⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        15⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        15⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        10⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        9⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        8⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        7⤵
        Executes dropped EXE
        
        PID:1356
      - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
      - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
      - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
      - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
      - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        6⤵
        Executes dropped EXE
        
        PID:776
    - - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
    - - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
        
        "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
  - - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
      "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2432
  - - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
      "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
      "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2184
  - - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
      "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe
      "C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso5F90.tmp\liteFirewall.dll

Filesize
81KB

MD5
165e1ef5c79475e8c33d19a870e672d4

SHA1
965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5

SHA256
9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd

SHA512
cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

Download Submit
C:\Users\Admin\AppData\Roaming\Pinball\Pinball.exe

Filesize
183KB

MD5
7c29fb72d1b284f81245d2d09f7b5d7e

SHA1
5a944edbd670dd8daa5a94de8be82fd7b5122b7f

SHA256
6baca4ab95c86bbc783842cb57e80c71be5c3ca379d54b4f279d939af3b416b4

SHA512
fb0ca73a86f852ee9b2557c62fef2f7b8ca905a0cb085cfab279d9cf8fd0cb6dee8f19d66d3a218a6f61a8ff6cad06636e6641340895648ac46969beacb5e144

Download Submit
C:\Users\Admin\AppData\Roaming\Pinball\Uninstall.exe

Filesize
113KB

MD5
f4b4605b9a33166a894e61b7d83795db

SHA1
cc634b064afb9bbca03007c2184d56d5d50e01f2

SHA256
bce3c5d714c7b4e5e456b9c955fe8328526168cd694a873f48f6b36d679b4fe2

SHA512
a8a16cc32d71b3e3fc6adf2a43f366f4d02c8a258bbbe05b67047b7629a0f9ff8b5ea2bdd0d0ae074250a1bb2d44f3da16bf4210a797dcf8178924bf0c566860

Download Submit
C:\Users\Admin\AppData\Roaming\Pinball\libcef.DLL

Filesize
168.3MB

MD5
f5259cc7721ca2bcc8ac97b76b1d3c7a

SHA1
c2fc0c8396d8cd6764809a2a592972e2ebca64ba

SHA256
3fe6a262ef01cb8fd4dc2d4373de0f1f0a89ee51953452ed4557cb55f1da9ab4

SHA512
2d01b1f2b24717eff37965bbc32d167434a65f3dfff74342d2e2fa8fbb0e97c3f61fdf673a13ad63031d630d9ce46a6f9f0c4f89ebd30c31f3ea55817b9d1331

Download Submit
\Users\Admin\AppData\Local\Temp\nsiE63.tmp\INetC.dll

Filesize
21KB

MD5
92ec4dd8c0ddd8c4305ae1684ab65fb0

SHA1
d850013d582a62e502942f0dd282cc0c29c4310e

SHA256
5520208a33e6409c129b4ea1270771f741d95afe5b048c2a1e6a2cc2ad829934

SHA512
581351aef694f2489e1a0977ebca55c4d7268ca167127cefb217ed0d2098136c7eb433058469449f75be82b8e5d484c9e7b6cf0b32535063709272d7810ec651

Download Submit
\Users\Admin\AppData\Local\Temp\nsiE63.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
102.2MB

MD5
f6c955039d8d0158871eaa4742cf9b42

SHA1
8c8af212b3e15eb8642ace3f93ed549547ec925b

SHA256
082acf311a0c64d1d96cfaeae5f2b43409eb4463e21700748965e21b718f2353

SHA512
4dc41a01fc59467de515aeb5dcdf0856db7c2258b400039643711d658184b97bfbcbc4814d1ce65ace022c3a1381ddfb3b0273f423bfc141d7342235159a21e3

Download Submit
\Users\Admin\AppData\Roaming\Pinball\Newtonsoft.Json.dll

Filesize
560KB

MD5
8f81c9520104b730c25d90a9dd511148

SHA1
7cf46cb81c3b51965c1f78762840eb5797594778

SHA256
f1f01b3474b92d6e1c3d6adfae74ee0ea0eba6e9935565fe2317686d80a2e886

SHA512
b4a66389bf06a6611df47e81b818cc2fcd0a854324a2564a4438866953f148950f59cd4c07c9d40cc3a9043b5ce12b150c8a56cccdf98d5e3f0225edf8c516f3

Download Submit
\Users\Admin\AppData\Roaming\Pinball\Xilium.CefGlue.dll

Filesize
855KB

MD5
b03c7f6072a0cb1a1d6a92ee7b82705a

SHA1
6675839c5e266075e7e1812ad8e856a2468274dd

SHA256
f561713347544e9d06d30f02a3dfcec5fe593b38894593aeedf5700666b35027

SHA512
19d6792eb9ba8584b94d0d59e07ce9d1c9c4da5516490f4abce5ae0d7d55b357bda45b2093b3e9eb9d6858061e9d3f530a6655c4779a50c911501ae23925c566

Download Submit
\Users\Admin\AppData\Roaming\Pinball\log4net.dll

Filesize
269KB

MD5
7ea1429e71d83a1ccaa0942c4d7f1c41

SHA1
4ce6acf4d735354b98f416b3d94d89af0611e563

SHA256
edec54da1901e649588e8cb52b001ab2aec76ed0430824457a904fcc0abd4299

SHA512
91c90845a12a377b617140b67639cfa71a0648300336d5edd422afc362e65c6ccd3a4ff4936d4262b0eaf7bae2b9624bcd3c7eec79f7e7ca18abe1ec62c4c869

Download Submit
memory/776-239-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/776-241-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/776-238-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/776-231-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/836-213-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/836-221-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1448-148-0x0000000002410000-0x00000000024A0000-memory.dmp

Filesize
576KB

Download
memory/1448-155-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/1448-154-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1448-144-0x0000000005220000-0x00000000052FC000-memory.dmp

Filesize
880KB

Download
memory/1448-140-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/1448-137-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/1448-197-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1448-133-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1448-132-0x0000000000FD0000-0x0000000001004000-memory.dmp

Filesize
208KB

Download
memory/1496-240-0x0000000000AB0000-0x0000000000B40000-memory.dmp

Filesize
576KB

Download
memory/1496-232-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/1496-229-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1496-222-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1644-159-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1644-162-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/1644-202-0x0000000005890000-0x0000000005920000-memory.dmp

Filesize
576KB

Download
memory/1644-203-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1644-204-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/1644-218-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1664-243-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1708-198-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-201-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-208-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1768-209-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

Filesize
256KB

Download
memory/1768-215-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1868-225-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/1868-224-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1868-233-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-211-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-216-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/1940-212-0x0000000000C60000-0x0000000000CA0000-memory.dmp

Filesize
256KB

Download
memory/1968-200-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2028-242-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2028-249-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2096-246-0x0000000004550000-0x0000000004590000-memory.dmp

Filesize
256KB

Download
memory/2096-245-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-217-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-210-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2184-199-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-227-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/2200-226-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-234-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-223-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-237-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2432-196-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-244-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-228-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-236-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-230-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/2816-235-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-205-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-220-0x00000000006A0000-0x00000000006E0000-memory.dmp

Filesize
256KB

Download
memory/2816-219-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-206-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-214-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-207-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download
memory/2996-247-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-248-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download