12f67bc3609350baf1db63934abe3db86523574a3dc3587e2b2727b5681302f6

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12f67bc3609350baf1db63934abe3db86523574a3dc3587e2b2727b5681302f6.dll
Size

62KB
MD5

7778309ac53566c636ccddebeb2116d0
SHA1

b685a2dc2c1c918251710fd681062c3d77e28e7d
SHA256

12f67bc3609350baf1db63934abe3db86523574a3dc3587e2b2727b5681302f6
SHA512

b89b6f9de7473ee5d8914805b337c682541ba9fcb163e381ae1ab17be1f417187ccbe46d8419d1c9579b1b47107ad01011b6fa69173f2467ec4fca727e8841a4
SSDEEP

1536:GnNBbq4+CSvXceTPa0T6iN7X8Nek/8FKevXlS:+Dm4+CKMtO6iNMt8FvX

Score

8^/10

bootkit persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1260	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1160	CS16Launcher.exe
1948	CS16Launcher.exe
1588	hl.exe

Loads dropped DLL 14 IoCs

pid	Process
1308	cmd.exe
1160	CS16Launcher.exe
1872	cmd.exe
1872	cmd.exe
1948	CS16Launcher.exe
1948	CS16Launcher.exe
1588	hl.exe
1588	hl.exe
1588	hl.exe
1588	hl.exe
1588	hl.exe
1588	hl.exe
1588	hl.exe
1588	hl.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	hl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1584	tasklist.exe
1256	tasklist.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1000	taskkill.exe
1548	taskkill.exe
1380	taskkill.exe
1456	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	CS16Launcher.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	CS16Launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	CS16Launcher.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
552	PING.EXE
884	PING.EXE
276	PING.EXE
1632	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1160	CS16Launcher.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1584	tasklist.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	1256	tasklist.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1160	CS16Launcher.exe
1160	CS16Launcher.exe
1588	hl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1260	1632	rundll32.exe	28
PID 1632 wrote to memory of 1260	1632	rundll32.exe	28
PID 1632 wrote to memory of 1260	1632	rundll32.exe	28
PID 1632 wrote to memory of 1260	1632	rundll32.exe	28
PID 1632 wrote to memory of 1260	1632	rundll32.exe	28
PID 1632 wrote to memory of 1260	1632	rundll32.exe	28
PID 1632 wrote to memory of 1260	1632	rundll32.exe	28
PID 1260 wrote to memory of 1308	1260	rundll32.exe	31
PID 1260 wrote to memory of 1308	1260	rundll32.exe	31
PID 1260 wrote to memory of 1308	1260	rundll32.exe	31
PID 1260 wrote to memory of 1308	1260	rundll32.exe	31
PID 1308 wrote to memory of 1380	1308	cmd.exe	33
PID 1308 wrote to memory of 1380	1308	cmd.exe	33
PID 1308 wrote to memory of 1380	1308	cmd.exe	33
PID 1308 wrote to memory of 1380	1308	cmd.exe	33
PID 1308 wrote to memory of 1456	1308	cmd.exe	35
PID 1308 wrote to memory of 1456	1308	cmd.exe	35
PID 1308 wrote to memory of 1456	1308	cmd.exe	35
PID 1308 wrote to memory of 1456	1308	cmd.exe	35
PID 1308 wrote to memory of 1000	1308	cmd.exe	36
PID 1308 wrote to memory of 1000	1308	cmd.exe	36
PID 1308 wrote to memory of 1000	1308	cmd.exe	36
PID 1308 wrote to memory of 1000	1308	cmd.exe	36
PID 1308 wrote to memory of 1160	1308	cmd.exe	37
PID 1308 wrote to memory of 1160	1308	cmd.exe	37
PID 1308 wrote to memory of 1160	1308	cmd.exe	37
PID 1308 wrote to memory of 1160	1308	cmd.exe	37
PID 1308 wrote to memory of 1160	1308	cmd.exe	37
PID 1308 wrote to memory of 1160	1308	cmd.exe	37
PID 1308 wrote to memory of 1160	1308	cmd.exe	37
PID 1160 wrote to memory of 1872	1160	CS16Launcher.exe	39
PID 1160 wrote to memory of 1872	1160	CS16Launcher.exe	39
PID 1160 wrote to memory of 1872	1160	CS16Launcher.exe	39
PID 1160 wrote to memory of 1872	1160	CS16Launcher.exe	39
PID 1160 wrote to memory of 1872	1160	CS16Launcher.exe	39
PID 1160 wrote to memory of 1872	1160	CS16Launcher.exe	39
PID 1160 wrote to memory of 1872	1160	CS16Launcher.exe	39
PID 1872 wrote to memory of 856	1872	cmd.exe	41
PID 1872 wrote to memory of 856	1872	cmd.exe	41
PID 1872 wrote to memory of 856	1872	cmd.exe	41
PID 1872 wrote to memory of 856	1872	cmd.exe	41
PID 1872 wrote to memory of 856	1872	cmd.exe	41
PID 1872 wrote to memory of 856	1872	cmd.exe	41
PID 1872 wrote to memory of 856	1872	cmd.exe	41
PID 1872 wrote to memory of 1548	1872	cmd.exe	44
PID 1872 wrote to memory of 1548	1872	cmd.exe	44
PID 1872 wrote to memory of 1548	1872	cmd.exe	44
PID 1872 wrote to memory of 1548	1872	cmd.exe	44
PID 1872 wrote to memory of 1548	1872	cmd.exe	44
PID 1872 wrote to memory of 1548	1872	cmd.exe	44
PID 1872 wrote to memory of 1548	1872	cmd.exe	44
PID 1872 wrote to memory of 1860	1872	cmd.exe	45
PID 1872 wrote to memory of 1860	1872	cmd.exe	45
PID 1872 wrote to memory of 1860	1872	cmd.exe	45
PID 1872 wrote to memory of 1860	1872	cmd.exe	45
PID 1872 wrote to memory of 1860	1872	cmd.exe	45
PID 1872 wrote to memory of 1860	1872	cmd.exe	45
PID 1872 wrote to memory of 1860	1872	cmd.exe	45
PID 1860 wrote to memory of 1256	1860	cmd.exe	46
PID 1860 wrote to memory of 1256	1860	cmd.exe	46
PID 1860 wrote to memory of 1256	1860	cmd.exe	46
PID 1860 wrote to memory of 1256	1860	cmd.exe	46
PID 1860 wrote to memory of 1256	1860	cmd.exe	46
PID 1860 wrote to memory of 1256	1860	cmd.exe	46

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12f67bc3609350baf1db63934abe3db86523574a3dc3587e2b2727b5681302f6.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\12f67bc3609350baf1db63934abe3db86523574a3dc3587e2b2727b5681302f6.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cs16r2.bat
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /FI "STATUS eq RUNNING" /IM "rundll32.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1380
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /FI "STATUS eq NOT RESPONDING" /IM "rundll32.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1456
  - - C:\Windows\SysWOW64\taskkill.exe
      TASKKILL /FI "STATUS eq UNKNOWN" /IM "rundll32.exe" /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\CS16Launcher.exe
      CS16Launcher.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\~191D.bat" -game cstrike -noipx -nojoy -noforcemparms -noforcemaccel"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /fo csv |FINDSTR /I /C:"CS16Launcher.exe"
        6⤵
        
        PID:856
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fo csv
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\SysWOW64\findstr.exe
        
        FINDSTR /I /C:"CS16Launcher.exe"
        7⤵
        
        PID:1592
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im ""CS16Launcher.exe""
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist /nh /fi "imagename eq CS16Launcher.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /nh /fi "imagename eq CS16Launcher.exe"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
      - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 1
        6⤵
        Runs ping.exe
        
        PID:1632
      - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 2
        6⤵
        Runs ping.exe
        
        PID:552
      - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 2
        6⤵
        Runs ping.exe
        
        PID:884
      - C:\Users\Admin\AppData\Local\Temp\CS16Launcher.exe
        
        "CS16Launcher.exe" -game cstrike
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\hl.exe
        
        "CS16Launcher.exe" -game cstrike
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:1588
      - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 2
        6⤵
        Runs ping.exe
        
        PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CS16Launcher.exe

Filesize
219KB

MD5
002569d719a892cefdee47b40fb9de9d

SHA1
c87baaf1db6f143eafceafb0e10be366a729cff7

SHA256
a8b816e969bbb052ac822e0dcd4ef7021dd0e14bde5a17e58f9756cfd4209746

SHA512
00f19ef8b9ef56a889f31896bfba7171bb43e48a2fc2d514a38952c6d1ce122b53a516b2425cd2ff2313f2aec834bf5a438450cb12248719200bfce89e128321

Download Submit
C:\Users\Admin\AppData\Local\Temp\CS16Launcher.exe

Filesize
2.3MB

MD5
1875f43c02db112f5a532fd49d37394a

SHA1
bec20bed918ffc6f667d670ff784d1872744af3b

SHA256
6ff69a1927b142cac353f444e00def83ee06fbcf078409b4e7667543f386fb7a

SHA512
54b8fcd44dfd7597649f7a95fc3a4a166ff865101746bca6200a2d4953e8418eeb512d7e476f9eeb0b4ad601097c0f9d3c8cd563a6ffa753d4692e8a1b5b6519

Download Submit
C:\Users\Admin\AppData\Local\Temp\CS16Launcher.exe

Filesize
2.3MB

MD5
1875f43c02db112f5a532fd49d37394a

SHA1
bec20bed918ffc6f667d670ff784d1872744af3b

SHA256
6ff69a1927b142cac353f444e00def83ee06fbcf078409b4e7667543f386fb7a

SHA512
54b8fcd44dfd7597649f7a95fc3a4a166ff865101746bca6200a2d4953e8418eeb512d7e476f9eeb0b4ad601097c0f9d3c8cd563a6ffa753d4692e8a1b5b6519

Download Submit
C:\Users\Admin\AppData\Local\Temp\CS16Launcher.exe.New

Filesize
219KB

MD5
002569d719a892cefdee47b40fb9de9d

SHA1
c87baaf1db6f143eafceafb0e10be366a729cff7

SHA256
a8b816e969bbb052ac822e0dcd4ef7021dd0e14bde5a17e58f9756cfd4209746

SHA512
00f19ef8b9ef56a889f31896bfba7171bb43e48a2fc2d514a38952c6d1ce122b53a516b2425cd2ff2313f2aec834bf5a438450cb12248719200bfce89e128321

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam.dll

Filesize
322KB

MD5
94d9e620da6bd5fe5a4d20aebb15ec6d

SHA1
3c63d12fd2fda36048461c3a74ef228bb58da61a

SHA256
88f7c7fe458ec238599dc57063a69b6417902f1e3591c6239af7c400954f764e

SHA512
d1fe188954b45d2db40dcb06b44fb60dfe09fd0e0118ddebb27cb294202c2f59b49009e99d28e200078b22061d48d5b3de6251f255426087337c9fc462a74af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cs16r2.bat

Filesize
991B

MD5
f0cb13b3a1891b5637b27a30b267c211

SHA1
2b819d5a84e447f6b8ca6ad5da846e81d7ef15bb

SHA256
5a4c82f579ce4938ac5eb41962315a2d91be3417ff7e7720abacff227ff99a8b

SHA512
add983bdce8fb79521efd72bdc6fac34c979215ed40e05ce162dc5d039a0a548eea920a6bc4890601e89882c38a5fd84efefcaa8b28c75f3ba9bc31cb49e2665

Download Submit
C:\Users\Admin\AppData\Local\Temp\filesystem_stdio.dll

Filesize
116KB

MD5
d9c4a776f838733c64331db0c87af459

SHA1
480aedeccdf5845de06c7bf39f59783a8fe92b1a

SHA256
4f7dca9537cdf20b65da599ffc33ea69e8a132239cfb6a3d0b1b623359dcda85

SHA512
5996c9a5cc5bc459b4dcdd7961690cbefdb741dd19338bfb4d1a864ce265e623f4e204dc6f1d4b0b84e66d0ae2f56b4f9bdb3cd7355f8a450703d0a2614d8d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hl.exe

Filesize
84KB

MD5
2098ccf443433129b556c2849fe99e26

SHA1
074ddbaff48c88b3b5c8f881c35d2be2bb19a249

SHA256
4a899986a879ffd4b7e2d819c49b47cb362d849e86917da1f1931ef476b414af

SHA512
fb4dcfd5371c89af775367d9f2ba72bfd42f8b483ba31b0e839b66f065e5e7a1ec34bf4504aaad17e38502be6917f0b3e415add81dc84fc6942996c0a8f95a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\hw.dll

Filesize
1.8MB

MD5
a0bc2e53bb55121719af9386ac2ff588

SHA1
1642aa1bfd63585fb324b8d23806efead856a3c9

SHA256
7802a1fcc2ab1749399e455faae907c0df3194386160dc4fa0164c427662fdc2

SHA512
e3a2b2ed965d15833ded927c6566a5facf11d1d654b65f2bbce70405013f2fe13009fe61b5488821f0846fd6cf0a5c5f2fd15a1a93c61c97540c917bd5040c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwpatcher.dll

Filesize
69KB

MD5
3531565d73be13ffdeabc638d0d32ece

SHA1
59e17ec1365012e143b559a5e33ea1792f5264e0

SHA256
ad16e56157ceae1169edb1bfa6c902ce85d3f5e23815403d27ccff32efb1a4f2

SHA512
5dc99ef4a12f0feb05f78b911fed456cb81470caf011ecdc5b75485b29e3b4025ff9ae6a51870a9752cbd66f13971b06dd74e6c803ede7c5a4dc0371a2d18235

Download Submit
C:\Users\Admin\AppData\Local\Temp\mss32.dll

Filesize
343KB

MD5
f520185e02e8a5d85860669176bc4adc

SHA1
cea8e9ff14994c89ad86cf891c89fea42a39250a

SHA256
fe62f1eb6ba407df77619d16927abbefad3c726014f6bd1f8c37a7c3d6b781cc

SHA512
b434e77a17cdac0109b698d0fccdd25dcdb15090a9fd0427504cc7f616673fa6c7307f07fb22cc2fc1e915887c0f9dc025aa8d38f51503f91df6a9ccee5ebe58

Download Submit
C:\Users\Admin\AppData\Local\Temp\steam_api_c.dll

Filesize
68KB

MD5
6baefb250616105b06438d6742d1ebde

SHA1
bd5b8f0113ab76dd8e35d6c446ab0286450f5666

SHA256
02fe1504d1ff75a0ed34e4cd8000639711d0481b9ad888dc96ccf8eadddc4753

SHA512
4389235cd5077f5fa9774f5ef2b4a2122de357c897b30658ad3c581e8d8991cf987159849392fd6776a80bc57ab563eda5b0c1e6e167e4a61954e117ac963a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\vgui.dll

Filesize
344KB

MD5
d44ee82601ae62ede3e224269a0bbf53

SHA1
2d00b1d5e052584c6c86ec08795d56d2181a91ee

SHA256
0d4472d21443de839080860a300cca6b9436508f329d33d712e5c9bc07d4d998

SHA512
00dba1a1d88bbc8f77f86ac45068d3f071805a13bf30c7f5c3f3168d3b799e773a1a3a7decab7931a9104bfe91dc8d60cc54b9e82a12e01b29dfe13c4fd1d398

Download Submit
C:\Users\Admin\AppData\Local\Temp\~191D.bat

Filesize
1KB

MD5
96aad303fc7bebf7234ebd8ad5906b85

SHA1
3a30223011c8da127bdd7cdd813f2ba4fb1134f7

SHA256
a295ebf2732802ba73a326428e410fe6e91357e99861bb3dc14d5de5bd0f7970

SHA512
2ec18d732ab2f82e326109b54f0f4c76c7ecd452868785ecdf2a7ea341d812207c913d932994f24300a96b6b9c3d538d1327e0763641410a334e009e6377c3c1

Download Submit
\Users\Admin\AppData\Local\Temp\CS16Launcher.exe

Filesize
219KB

MD5
002569d719a892cefdee47b40fb9de9d

SHA1
c87baaf1db6f143eafceafb0e10be366a729cff7

SHA256
a8b816e969bbb052ac822e0dcd4ef7021dd0e14bde5a17e58f9756cfd4209746

SHA512
00f19ef8b9ef56a889f31896bfba7171bb43e48a2fc2d514a38952c6d1ce122b53a516b2425cd2ff2313f2aec834bf5a438450cb12248719200bfce89e128321

Download Submit
\Users\Admin\AppData\Local\Temp\CS16Launcher.exe

Filesize
219KB

MD5
002569d719a892cefdee47b40fb9de9d

SHA1
c87baaf1db6f143eafceafb0e10be366a729cff7

SHA256
a8b816e969bbb052ac822e0dcd4ef7021dd0e14bde5a17e58f9756cfd4209746

SHA512
00f19ef8b9ef56a889f31896bfba7171bb43e48a2fc2d514a38952c6d1ce122b53a516b2425cd2ff2313f2aec834bf5a438450cb12248719200bfce89e128321

Download Submit
\Users\Admin\AppData\Local\Temp\CS16Launcher.exe

Filesize
2.3MB

MD5
1875f43c02db112f5a532fd49d37394a

SHA1
bec20bed918ffc6f667d670ff784d1872744af3b

SHA256
6ff69a1927b142cac353f444e00def83ee06fbcf078409b4e7667543f386fb7a

SHA512
54b8fcd44dfd7597649f7a95fc3a4a166ff865101746bca6200a2d4953e8418eeb512d7e476f9eeb0b4ad601097c0f9d3c8cd563a6ffa753d4692e8a1b5b6519

Download Submit
\Users\Admin\AppData\Local\Temp\CS16Launcher.exe

Filesize
2.3MB

MD5
1875f43c02db112f5a532fd49d37394a

SHA1
bec20bed918ffc6f667d670ff784d1872744af3b

SHA256
6ff69a1927b142cac353f444e00def83ee06fbcf078409b4e7667543f386fb7a

SHA512
54b8fcd44dfd7597649f7a95fc3a4a166ff865101746bca6200a2d4953e8418eeb512d7e476f9eeb0b4ad601097c0f9d3c8cd563a6ffa753d4692e8a1b5b6519

Download Submit
\Users\Admin\AppData\Local\Temp\FileSystem_Stdio.dll

Filesize
116KB

MD5
d9c4a776f838733c64331db0c87af459

SHA1
480aedeccdf5845de06c7bf39f59783a8fe92b1a

SHA256
4f7dca9537cdf20b65da599ffc33ea69e8a132239cfb6a3d0b1b623359dcda85

SHA512
5996c9a5cc5bc459b4dcdd7961690cbefdb741dd19338bfb4d1a864ce265e623f4e204dc6f1d4b0b84e66d0ae2f56b4f9bdb3cd7355f8a450703d0a2614d8d82

Download Submit
\Users\Admin\AppData\Local\Temp\L3SPe9YF.dat

Filesize
40KB

MD5
e1cd35bbc28f73b7481e8835ee0f0b13

SHA1
ef40d489c61b178b54f8116548662ee876e0133f

SHA256
6ecef9ef0f62491d595b2f32c69b53c53a1b3a8a7c9dea39d56c6861f5b93bdf

SHA512
baf6f9063f95e6d699088ec4c0611825e030382ff913084feb7f913cc8f011d079b6c7143359391d8e30a5e26ac5a5358882b20e3ac31c5afdbe8867ff6f62a3

Download Submit
\Users\Admin\AppData\Local\Temp\Mss32.dll

Filesize
343KB

MD5
f520185e02e8a5d85860669176bc4adc

SHA1
cea8e9ff14994c89ad86cf891c89fea42a39250a

SHA256
fe62f1eb6ba407df77619d16927abbefad3c726014f6bd1f8c37a7c3d6b781cc

SHA512
b434e77a17cdac0109b698d0fccdd25dcdb15090a9fd0427504cc7f616673fa6c7307f07fb22cc2fc1e915887c0f9dc025aa8d38f51503f91df6a9ccee5ebe58

Download Submit
\Users\Admin\AppData\Local\Temp\Steam.dll

Filesize
322KB

MD5
94d9e620da6bd5fe5a4d20aebb15ec6d

SHA1
3c63d12fd2fda36048461c3a74ef228bb58da61a

SHA256
88f7c7fe458ec238599dc57063a69b6417902f1e3591c6239af7c400954f764e

SHA512
d1fe188954b45d2db40dcb06b44fb60dfe09fd0e0118ddebb27cb294202c2f59b49009e99d28e200078b22061d48d5b3de6251f255426087337c9fc462a74af7

Download Submit
\Users\Admin\AppData\Local\Temp\hl.exe

Filesize
84KB

MD5
2098ccf443433129b556c2849fe99e26

SHA1
074ddbaff48c88b3b5c8f881c35d2be2bb19a249

SHA256
4a899986a879ffd4b7e2d819c49b47cb362d849e86917da1f1931ef476b414af

SHA512
fb4dcfd5371c89af775367d9f2ba72bfd42f8b483ba31b0e839b66f065e5e7a1ec34bf4504aaad17e38502be6917f0b3e415add81dc84fc6942996c0a8f95a10

Download Submit
\Users\Admin\AppData\Local\Temp\hl.exe

Filesize
84KB

MD5
2098ccf443433129b556c2849fe99e26

SHA1
074ddbaff48c88b3b5c8f881c35d2be2bb19a249

SHA256
4a899986a879ffd4b7e2d819c49b47cb362d849e86917da1f1931ef476b414af

SHA512
fb4dcfd5371c89af775367d9f2ba72bfd42f8b483ba31b0e839b66f065e5e7a1ec34bf4504aaad17e38502be6917f0b3e415add81dc84fc6942996c0a8f95a10

Download Submit
\Users\Admin\AppData\Local\Temp\hw.dll

Filesize
1.8MB

MD5
a0bc2e53bb55121719af9386ac2ff588

SHA1
1642aa1bfd63585fb324b8d23806efead856a3c9

SHA256
7802a1fcc2ab1749399e455faae907c0df3194386160dc4fa0164c427662fdc2

SHA512
e3a2b2ed965d15833ded927c6566a5facf11d1d654b65f2bbce70405013f2fe13009fe61b5488821f0846fd6cf0a5c5f2fd15a1a93c61c97540c917bd5040c92

Download Submit
\Users\Admin\AppData\Local\Temp\hwpatcher.dll

Filesize
69KB

MD5
3531565d73be13ffdeabc638d0d32ece

SHA1
59e17ec1365012e143b559a5e33ea1792f5264e0

SHA256
ad16e56157ceae1169edb1bfa6c902ce85d3f5e23815403d27ccff32efb1a4f2

SHA512
5dc99ef4a12f0feb05f78b911fed456cb81470caf011ecdc5b75485b29e3b4025ff9ae6a51870a9752cbd66f13971b06dd74e6c803ede7c5a4dc0371a2d18235

Download Submit
\Users\Admin\AppData\Local\Temp\steam_api_c.dll

Filesize
68KB

MD5
6baefb250616105b06438d6742d1ebde

SHA1
bd5b8f0113ab76dd8e35d6c446ab0286450f5666

SHA256
02fe1504d1ff75a0ed34e4cd8000639711d0481b9ad888dc96ccf8eadddc4753

SHA512
4389235cd5077f5fa9774f5ef2b4a2122de357c897b30658ad3c581e8d8991cf987159849392fd6776a80bc57ab563eda5b0c1e6e167e4a61954e117ac963a45

Download Submit
\Users\Admin\AppData\Local\Temp\vgui.dll

Filesize
344KB

MD5
d44ee82601ae62ede3e224269a0bbf53

SHA1
2d00b1d5e052584c6c86ec08795d56d2181a91ee

SHA256
0d4472d21443de839080860a300cca6b9436508f329d33d712e5c9bc07d4d998

SHA512
00dba1a1d88bbc8f77f86ac45068d3f071805a13bf30c7f5c3f3168d3b799e773a1a3a7decab7931a9104bfe91dc8d60cc54b9e82a12e01b29dfe13c4fd1d398

Download Submit
memory/1260-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1588-115-0x00000000001D0000-0x00000000001E5000-memory.dmp

Filesize
84KB

Download
memory/1588-107-0x0000000000450000-0x00000000004A8000-memory.dmp

Filesize
352KB

Download
memory/1588-117-0x0000000000290000-0x000000000029F000-memory.dmp

Filesize
60KB

Download
memory/1588-104-0x0000000004920000-0x0000000005B4A000-memory.dmp

Filesize
18.2MB

Download
memory/1588-120-0x0000000004920000-0x0000000005B4A000-memory.dmp

Filesize
18.2MB

Download