b931be51f58aefde0a308963de518204d7ea7422b752ddbd96d22119516d0d47

Analysis

max time kernel
136s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-06-2024 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Haxball-Setup-0.3.4.exe
Size

51.8MB
MD5

98c2c1a926209520eda30f9c39b0d9e1
SHA1

697e61e4105fbfa4f77f2f4f438c70f0f4756fb0
SHA256

3619af438c00c13f87a34406bd379081817a7dd8b2fcd880e6c88c1ec93d7f1c
SHA512

39895e2fa79865ce7b21aee31fe5a16f1235eac2cbb1a0eabfc5cc2166d2406a52961321026752279e965ace51138595fcda4a411580f6d703d2ee256fdb60d3
SSDEEP

1572864:CqqSChgYfRrRd7QSkIVeWM43GuTTwHsnL5Z:CqH0prRpQQXM47TsMnT

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Haxball.exeHaxball.exeHaxball.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	Haxball.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	Haxball.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation	Haxball.exe

Executes dropped EXE 6 IoCs

Processes:

Haxball.exeHaxball.exeHaxball.exeHaxball.exeHaxball.exeHaxball.exe

pid process

1992 Haxball.exe
1808 Haxball.exe
828 Haxball.exe
2528 Haxball.exe
2060 Haxball.exe
1664 Haxball.exe

pid	process
1992	Haxball.exe
1808	Haxball.exe
828	Haxball.exe
2528	Haxball.exe
2060	Haxball.exe
1664	Haxball.exe

Loads dropped DLL 23 IoCs

Processes:

Haxball-Setup-0.3.4.exeHaxball.exeHaxball.exeHaxball.exeHaxball.exeHaxball.exeHaxball.exe

pid	process
2316	Haxball-Setup-0.3.4.exe
2316	Haxball-Setup-0.3.4.exe
2316	Haxball-Setup-0.3.4.exe
2316	Haxball-Setup-0.3.4.exe
2316	Haxball-Setup-0.3.4.exe
2316	Haxball-Setup-0.3.4.exe
2316	Haxball-Setup-0.3.4.exe
2316	Haxball-Setup-0.3.4.exe
2316	Haxball-Setup-0.3.4.exe
2316	Haxball-Setup-0.3.4.exe
2316	Haxball-Setup-0.3.4.exe
1992	Haxball.exe
1808	Haxball.exe
828	Haxball.exe
1808	Haxball.exe
1808	Haxball.exe
1808	Haxball.exe
2528	Haxball.exe
2060	Haxball.exe
2060	Haxball.exe
2060	Haxball.exe
2060	Haxball.exe
1664	Haxball.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Haxball.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Haxball.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Haxball.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Haxball.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Haxball.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Haxball.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Haxball.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Haxball.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	Haxball.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Haxball.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Haxball.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Haxball-Setup-0.3.4.exeHaxball.exeHaxball.exeHaxball.exeHaxball.exe

pid	process
2316	Haxball-Setup-0.3.4.exe
2316	Haxball-Setup-0.3.4.exe
2316	Haxball-Setup-0.3.4.exe
828	Haxball.exe
2528	Haxball.exe
1664	Haxball.exe
1992	Haxball.exe
1992	Haxball.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Haxball-Setup-0.3.4.exe

description pid process

Token: SeSecurityPrivilege 2316 Haxball-Setup-0.3.4.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Haxball.exe

pid process

1992 Haxball.exe
1992 Haxball.exe
1992 Haxball.exe
1992 Haxball.exe
1992 Haxball.exe

description	pid	process
Token: SeSecurityPrivilege	2316	Haxball-Setup-0.3.4.exe

pid	process
1992	Haxball.exe
1992	Haxball.exe
1992	Haxball.exe
1992	Haxball.exe
1992	Haxball.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Haxball.exe

description	pid	process	target process
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 1808	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 828	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 828	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 828	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 828	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2528	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2528	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2528	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2528	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe
PID 1992 wrote to memory of 2060	1992	Haxball.exe	Haxball.exe

C:\Users\Admin\AppData\Local\Temp\Haxball-Setup-0.3.4.exe
"C:\Users\Admin\AppData\Local\Temp\Haxball-Setup-0.3.4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Users\Admin\AppData\Local\Programs\haxball-application\Haxball.exe
"C:\Users\Admin\AppData\Local\Programs\haxball-application\Haxball.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Programs\haxball-application\Haxball.exe
"C:\Users\Admin\AppData\Local\Programs\haxball-application\Haxball.exe" --type=gpu-process --field-trial-handle=932,13172722371261862254,14146332991536859693,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=944 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808

C:\Users\Admin\AppData\Local\Programs\haxball-application\Haxball.exe
"C:\Users\Admin\AppData\Local\Programs\haxball-application\Haxball.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=932,13172722371261862254,14146332991536859693,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1468 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:828

C:\Users\Admin\AppData\Local\Programs\haxball-application\Haxball.exe
"C:\Users\Admin\AppData\Local\Programs\haxball-application\Haxball.exe" --type=renderer --field-trial-handle=932,13172722371261862254,14146332991536859693,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\haxball-application\resources\app.asar" --no-sandbox --no-zygote --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1632 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2528

C:\Users\Admin\AppData\Local\Programs\haxball-application\Haxball.exe
"C:\Users\Admin\AppData\Local\Programs\haxball-application\Haxball.exe" --type=gpu-process --field-trial-handle=932,13172722371261862254,14146332991536859693,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=944 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060

C:\Users\Admin\AppData\Local\Programs\haxball-application\Haxball.exe
"C:\Users\Admin\AppData\Local\Programs\haxball-application\Haxball.exe" --type=renderer --field-trial-handle=932,13172722371261862254,14146332991536859693,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\haxball-application\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1684 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63b36befad39ae9d1d9fe15d01c9fe9c

SHA1
95d503bf9507cd7c268f672dad7e0d046d4fe2e0

SHA256
8f2b76fc875f78241ee15fb7df26372172c3daf5579edd25c2aed32fab4aef48

SHA512
e2720b4cb1f3c714743b2eee6cbac6f3f87a958dcfe94ab00c20cf0b0e2f23bf4d0358b1d65dc7997374a67651c0630e08556ce59734877df36c17b640b6771c

Download Submit
C:\Users\Admin\AppData\Local\Programs\haxball-application\chrome_100_percent.pak

Filesize
176KB

MD5
d5719b1f791ac999c3cfda2e4405bdce

SHA1
c5d94054bcb271dee08714c313476abd67be28ca

SHA256
7cb9d93a16e5621ab765e3f3b459f4698ae496035e283f2c0c390b188a487741

SHA512
ce75bde78ddf6bc394662c5d0ce107ba375b13bf75a31ba1888dffa74900fa86babd65ce222c38db73a11c8d54b3c6f6046b8f71ce80281eec884fd7f0cd1583

Download Submit
C:\Users\Admin\AppData\Local\Programs\haxball-application\chrome_200_percent.pak

Filesize
313KB

MD5
0649df49260e18326c9a54545131aaec

SHA1
76de40e3b828cb42cb8b9beb31808ea2145eda56

SHA256
070a6cb68318a032ec17cd7b07f8af8bd6983f16997f50a231d232396a2f570f

SHA512
c196726564ea218c1e58121f43ab6f138a676a47cd53ad9099daec4cc3a491cf7f9127c56f31f8ec460080ba5f2f56eb2f6c7d37e286e05c4dbd9592552185d4

Download Submit
C:\Users\Admin\AppData\Local\Programs\haxball-application\icudtl.dat

Filesize
10.0MB

MD5
9732e28c054db1e042cd306a7bc9227a

SHA1
6bab2e77925515888808c1ef729c5bb1323100dd

SHA256
27993e2079711d5f0f04a72f48fee88b269604c8e3fbdf50a7f7bb3f5bfc8d8e

SHA512
3eb67ab896a56dab4a2d6eea98f251affd6864c5f5b24f22b61b6acc1df4460d86f0a448f1983aac019e79ff930286c3510891be9d48ef07a93ff975a0e55335

Download Submit
C:\Users\Admin\AppData\Local\Programs\haxball-application\locales\en-US.pak

Filesize
80KB

MD5
69d7c5168de6b4311a36c39ca7ca60f0

SHA1
40ff72437b51677065d68a6486e3b03e0a27102d

SHA256
fdeb2723f423dfe7ee4c19cc052398cbe796bfce7d432d0abe4ea40e6c6e3dab

SHA512
4e1fd01bd7d5f65f8aa2f0b2f4845106df916a53dd4898d0cec7fc538c2908d22f4ffd3dacf023c7854f4854534468a9bc93763be21075661501c6ceca2ca0e7

Download Submit
C:\Users\Admin\AppData\Local\Programs\haxball-application\resources.pak

Filesize
4.1MB

MD5
977bdf44c3bd2fa5ece6f23915a7acc6

SHA1
df371edc31eb80fe0899447deac2921f519c8cc5

SHA256
2fe8dd43b377a908df6454ec3005b3e25409a82bfb45c35ba871f05cc578c21e

SHA512
d437bcc48bec3ad66a5cd0e6d6c3948276b897f6eca034b3c221ea1dc00fe7b27425d1491a1634b6ac843fc1f12aecd20bf2a7da5fe8023aac824adc0f791639

Download Submit
C:\Users\Admin\AppData\Local\Programs\haxball-application\resources\app.asar

Filesize
11.7MB

MD5
5c311655241d37b440d5257b0893624e

SHA1
a0b88d1190dfd04803f283f45e2c5668298bdc02

SHA256
aefe5bc054e0adc08616d93ed0266afe06a02c798597580be9a8226ba09c9ff0

SHA512
d8c27ab13ce6564dbf22d55c27d7609a6e0e1b4ec8b9a61970ff3c2b062e810f5efffff3c2896d3d23605df23453a2a7ee62439a177c7d5b30f06a5c6ca48cf5

Download Submit
C:\Users\Admin\AppData\Local\Programs\haxball-application\v8_context_snapshot.bin

Filesize
167KB

MD5
d644bba1542afa11fdda21a6d02b9aec

SHA1
310be26945e2c86a2728c94465ef8356004d2155

SHA256
02bab4d0fb593602ddbd74f494fd6376456bbde8f3940f155c5db57e263c0835

SHA512
f5c01316de5a8ae6994b908fee79714f46d550fcf1c082abf4d8c353103a1bf2f32808a54ca8d4355cd071541dcafe352631d39ba652d3ac72a930b02e232d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4166.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4237.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5cc4d1e-9356-42c3-a51c-5e578d21bebd.tmp.ico

Filesize
178KB

MD5
7da44d4d6642438a8a9af46b6613bcb4

SHA1
e2dadcf9899d1e9e200f4981e731b14e0d379bfc

SHA256
5f33d7499caeef8d7d801356f5b9faf8b0b1ffe0c2fa6e95aeba22f7f30b07b5

SHA512
cbe16fd36c567158aa5aa55c520a4522c94b42913ff02597ba1c2e4585b57adbb6e7b67528f3029e91b9152f5b08d69ef7415189d4f9d7659eb3fa02e078e12b

Download Submit
C:\Users\Admin\AppData\Roaming\haxball-application\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
\Users\Admin\AppData\Local\Programs\haxball-application\d3dcompiler_47.dll

Filesize
3.5MB

MD5
2f2e363c9a9baa0a9626db374cc4e8a4

SHA1
17f405e81e5fce4c5a02ca049f7bd48b31674c8f

SHA256
2630f4188bd2ea5451ca61d83869bf7068a4f0440401c949a9feb9fb476e15df

SHA512
e668a5d1f5e6f821ebfa0913e201f0dfd8da2f96605701f8db18d14ea4fdeac73aeb9b4fe1f22eaeffcdd1c0f73a6701763727d5b09775666f82b678404e4924

Download Submit
\Users\Admin\AppData\Local\Programs\haxball-application\ffmpeg.dll

Filesize
2.5MB

MD5
db7974db8af148508cab4ce2017e8b1f

SHA1
48c81f39f0e2223aa0b110a3474bd8d0213d8760

SHA256
2f1d4a76994c2defd144ff1f2e7c64b8bd028d197994403b135f97657410980a

SHA512
2450420be11ed84fb2a533128475d51e83573085e8f4de43ff9390bfde08ae9f7e35a19079bb8d085d9f55d9e32ecfe6bd2695760e46f3363a210a6292cc938f

Download Submit
\Users\Admin\AppData\Local\Programs\haxball-application\libEGL.dll

Filesize
348KB

MD5
985125118e135a027cf98c189281fccc

SHA1
5eac86608875e127810b02122c5a7d8aa258c233

SHA256
f156ca816c7bcfef973b16c745afb472173366f9eef015176ac3c5d6cb698639

SHA512
439591c75f909a633f8534bfca39b2ec9c20e181b6fcca2a927dde2108d3d8317732369cfe04c1296b43dd3f60a0c191947ecfc5da33586c63a03b932e8fe614

Download Submit
\Users\Admin\AppData\Local\Programs\haxball-application\libGLESv2.dll

Filesize
8.0MB

MD5
858ef7e52143fa10ac2ae622f8dce4de

SHA1
c98296693133006b8e386544e1fe96681558fce2

SHA256
af8915450edb35401433e8c70a6e6f04b734f297662b2a4f419b10e2f8f616f7

SHA512
692712ff5478f760cea32d404a3dbd7dc20c5d50c8b4946bf62083335727dbf87a24056e393099733f6d1b005dbb9f6d06e36aa84d1d8e6378c4f33de8ff6693

Download Submit
\Users\Admin\AppData\Local\Programs\haxball-application\swiftshader\libEGL.dll

Filesize
372KB

MD5
bb9ded3f46e382a20d7ed52365360dfa

SHA1
d7c5d595d357fbbbb5d2c9df1884ed063e923672

SHA256
b5bc4fff5e7ac12141fc4bdc24c2ba0a8bbc640cb98ad855a98e4dd1e9e83e10

SHA512
802b9f595ca60f587b2700f17b4a1ee994d7f38e2fb4e6e7af478d052aa0bfdba60ccb36a5f7e18c92dbebaf5d4bdc8451bc6382c3f517eac162cb8bda4fb029

Download Submit
\Users\Admin\AppData\Local\Programs\haxball-application\swiftshader\libGLESv2.dll

Filesize
2.7MB

MD5
01d26b5b8815fd05c35f707e6fd66043

SHA1
72e843f983376f1a250bda111441509bba897872

SHA256
054db533d7821f3cca25dc120525fd642b054a82f3de6a544f9759b198e88a64

SHA512
6db41be8f85d0b8826b280506a46c1cff292cf1943273ae95cc7e40f0223cf2345398cfaa96356ca8f1de7dc2df5d430e49bc7331706a590f8ebb11ee0c2e19c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2991.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2991.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2991.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2991.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2991.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2991.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1808-235-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/2316-221-0x0000000002DA0000-0x0000000002DA2000-memory.dmp

Filesize
8KB

Download