blackmoon | 0582b53407ec1509be024523fc82ac8a1d528bd670e931542f81dea17e347bc4

Analysis

max time kernel
231s
max time network
229s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2023 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d381bb52634f826.exe
Size

285KB
MD5

e72c60640dbe31fce8b08d8190282763
SHA1

476fd543dbb50cd60ea189369cc5014c1b7811d4
SHA256

0582b53407ec1509be024523fc82ac8a1d528bd670e931542f81dea17e347bc4
SHA512

19a40c4ff023a8109bb9b9c5cadd3e5a1b257ecab5c53fe7bb07520f8e8984d6128bad68863b54a23cf1982a2b6e0ae7fedc8375fab4033a7eaf4436f0ee6b92
SSDEEP

6144:LMYVjTqJ0dIS8l2I9FIs5oGHs+xgjhK2BV+L0CNCWiZnDoS:LMYpqMIfTKd+xYBAL0CALDoS

Score

10^/10

blackmoon banker discovery persistence trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4944-135-0x0000000000400000-0x00000000004D8000-memory.dmp	family_blackmoon
behavioral1/memory/2116-18049-0x0000000000400000-0x00000000004D8000-memory.dmp	family_blackmoon
behavioral1/memory/2116-18051-0x0000000000400000-0x00000000004D8000-memory.dmp	family_blackmoon
behavioral1/memory/2116-18055-0x0000000000400000-0x00000000004D8000-memory.dmp	family_blackmoon
behavioral1/memory/2116-18056-0x0000000000400000-0x00000000004D8000-memory.dmp	family_blackmoon
behavioral1/memory/2116-18057-0x0000000000400000-0x00000000004D8000-memory.dmp	family_blackmoon
behavioral1/memory/2116-18058-0x0000000000400000-0x00000000004D8000-memory.dmp	family_blackmoon

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

steamwebhelper.exesteamwebhelper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Executes dropped EXE 14 IoCs

Processes:

SteamSetup.exesteamservice.exesteam.exesteam.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exegldriverquery64.exesteamwebhelper.exegldriverquery.exevulkandriverquery64.exevulkandriverquery.exe1d381bb52634f826.exe

pid	process
3936	SteamSetup.exe
840	steamservice.exe
5700	steam.exe
2332	steam.exe
1976	steamwebhelper.exe
5840	steamwebhelper.exe
2196	steamwebhelper.exe
2160	steamwebhelper.exe
4420	gldriverquery64.exe
2536	steamwebhelper.exe
5376	gldriverquery.exe
5348	vulkandriverquery64.exe
1648	vulkandriverquery.exe
2116	1d381bb52634f826.exe

Loads dropped DLL 48 IoCs

Processes:

SteamSetup.exesteam.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exe

pid	process
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
5840	steamwebhelper.exe
5840	steamwebhelper.exe
5840	steamwebhelper.exe
2332	steam.exe
2196	steamwebhelper.exe
2196	steamwebhelper.exe
2196	steamwebhelper.exe
2332	steam.exe
2196	steamwebhelper.exe
2196	steamwebhelper.exe
2196	steamwebhelper.exe
2160	steamwebhelper.exe
2160	steamwebhelper.exe
2160	steamwebhelper.exe
2332	steam.exe
2536	steamwebhelper.exe
2536	steamwebhelper.exe
2536	steamwebhelper.exe
2536	steamwebhelper.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4944-133-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral1/memory/4944-135-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
C:\Users\Admin\Downloads\1d381bb52634f826.xI7lrMde.exe.part	upx
behavioral1/memory/2116-18049-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral1/memory/2116-18051-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral1/memory/2116-18055-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral1/memory/2116-18056-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral1/memory/2116-18057-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral1/memory/2116-18058-0x0000000000400000-0x00000000004D8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SteamSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows\CurrentVersion\Run	SteamSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

steam.exe

description	ioc	process
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_dpad_left.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_rtrackpad_click.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\store\store_app_bg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\api\virtual_dpad_s.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamclean_finnish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0416.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0406.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\hud\dpad_s.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\steam_home_os.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_button_x_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_dpad_up_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_color_outlined_button_x_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_button_l_arrow.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\ChatPasswordWarningDialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0315.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\friends_icon.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui-public\images\controller\ghost_040_act_0060.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_r1.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\wordlists\english_compiled_words.dic_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_r_down_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_dpad_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\cropped_binding_gamepad_active_ls_down.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\layout\library\controller_binding_listener.xml_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_touch_tap.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\styles\music\music_playlist.css_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_030_inv_0120.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_button_home_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_l_up_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_dpad_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_l_swipe_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_color_button_x_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_neptune_gamepad+mouse.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\panorama\etc\pango\pango.modules_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\controller_nobattery.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\store\icon_steamos_storefront.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\nattypeprobe.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_button_circle_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_rstick_down.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_l_swipe_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\SMPStatsDialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_button_options.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\dropdown_ingame.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\gridview_mask.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui-public\images\controller\ghost_010_wpn_0411.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\ssa\ssa_italian_bigpicture.html_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\LocalizedAudioChoiceDialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\receipt_cdkey_mustloginps3.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\btnOvrOffTopLeft.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui-public\sounds\deck_ui_side_menu_fly_in.wav_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_lt.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_button_create_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\api-ms-win-core-util-l1-1-0.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\controller_config_mode_bpad_focus.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\music_volume_hover.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_lt_soft_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\api\ps5_button_dpad_move.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0415.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\secure_desktop_capture.exe_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\libraries\libraries~ef7b14eaf.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\layout\gamespage_details_achievements.layout_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\SteamFossilizeVulkanLayer64.json_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\store\bp_hipercard.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\systemmenu\icon_library.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\InviteFriendResultSubPanel_success.res_	steam.exe

Drops file in Windows directory 1 IoCs

Processes:

1d381bb52634f826.exe

description ioc process

File created C:\Windows\gzip.dll 1d381bb52634f826.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\gzip.dll	1d381bb52634f826.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exesteam.exesteam.exefirefox.exesteamwebhelper.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

steamwebhelper.exe

description ioc process

Key created \REGISTRY\USER\ steamwebhelper.exe

description	ioc	process
Key created	\REGISTRY\USER\	steamwebhelper.exe

Modifies registry class 43 IoCs

Processes:

steamservice.exefirefox.exefirefox.exesteamwebhelper.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\	steamwebhelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

steam.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe

NTFS ADS 2 IoCs

Processes:

firefox.exefirefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\1d381bb52634f826.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SteamSetup.exesteam.exesteamwebhelper.exe

pid	process
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
3936	SteamSetup.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2160	steamwebhelper.exe
2160	steamwebhelper.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe
2332	steam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

steam.exe

pid process

2332 steam.exe

pid	process
2332	steam.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

1d381bb52634f826.exefirefox.exeSteamSetup.exesteamservice.exefirefox.exe1d381bb52634f826.exe

description	pid	process
Token: SeDebugPrivilege	4944	1d381bb52634f826.exe
Token: SeDebugPrivilege	4944	1d381bb52634f826.exe
Token: SeDebugPrivilege	3164	firefox.exe
Token: SeDebugPrivilege	3164	firefox.exe
Token: SeDebugPrivilege	3936	SteamSetup.exe
Token: SeDebugPrivilege	3936	SteamSetup.exe
Token: SeDebugPrivilege	3936	SteamSetup.exe
Token: SeDebugPrivilege	3936	SteamSetup.exe
Token: SeDebugPrivilege	3936	SteamSetup.exe
Token: SeSecurityPrivilege	840	steamservice.exe
Token: SeSecurityPrivilege	840	steamservice.exe
Token: SeDebugPrivilege	4836	firefox.exe
Token: SeDebugPrivilege	4836	firefox.exe
Token: SeDebugPrivilege	2116	1d381bb52634f826.exe
Token: SeDebugPrivilege	2116	1d381bb52634f826.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

firefox.exefirefox.exesteamwebhelper.exe

pid	process
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
4836	firefox.exe
4836	firefox.exe
4836	firefox.exe
4836	firefox.exe
4836	firefox.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe

Suspicious use of SendNotifyMessage 37 IoCs

Processes:

firefox.exefirefox.exesteamwebhelper.exe

pid	process
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
4836	firefox.exe
4836	firefox.exe
4836	firefox.exe
4836	firefox.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe
1976	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

firefox.exeSteamSetup.exesteamservice.exefirefox.exesteam.exe

pid	process
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3164	firefox.exe
3936	SteamSetup.exe
840	steamservice.exe
4836	firefox.exe
4836	firefox.exe
4836	firefox.exe
4836	firefox.exe
4836	firefox.exe
4836	firefox.exe
4836	firefox.exe
2332	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2996 wrote to memory of 3164	2996	firefox.exe	firefox.exe
PID 2996 wrote to memory of 3164	2996	firefox.exe	firefox.exe
PID 2996 wrote to memory of 3164	2996	firefox.exe	firefox.exe
PID 2996 wrote to memory of 3164	2996	firefox.exe	firefox.exe
PID 2996 wrote to memory of 3164	2996	firefox.exe	firefox.exe
PID 2996 wrote to memory of 3164	2996	firefox.exe	firefox.exe
PID 2996 wrote to memory of 3164	2996	firefox.exe	firefox.exe
PID 2996 wrote to memory of 3164	2996	firefox.exe	firefox.exe
PID 2996 wrote to memory of 3164	2996	firefox.exe	firefox.exe
PID 2996 wrote to memory of 3164	2996	firefox.exe	firefox.exe
PID 2996 wrote to memory of 3164	2996	firefox.exe	firefox.exe
PID 3164 wrote to memory of 1192	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 1192	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 3988	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 1120	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 1120	3164	firefox.exe	firefox.exe
PID 3164 wrote to memory of 1120	3164	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1d381bb52634f826.exe
"C:\Users\Admin\AppData\Local\Temp\1d381bb52634f826.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.0.825412343\574965475" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30f01b4e-f688-4b58-8d73-af15e937d31b} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 1948 1dbfcbe8558 gpu
3⤵
PID:1192

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.1.1541852025\186725952" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32ff632e-bf0f-42ae-9085-ecb26430fa2a} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 2332 1dbefd72858 socket
3⤵
- Checks processor information in registry
PID:3988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.2.705571003\698064862" -childID 1 -isForBrowser -prefsHandle 3316 -prefMapHandle 3028 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87f497ea-1611-41b6-8c3f-28c722684c01} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 3324 1db81fe6e58 tab
3⤵
PID:1120

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.3.6102843\1627527182" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3444 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3f3d42f-c414-4ebd-a78a-149ab1e9562d} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 3560 1db809add58 tab
3⤵
PID:1824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.4.2106688298\1013653973" -childID 3 -isForBrowser -prefsHandle 4064 -prefMapHandle 4060 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66d873bd-6764-41a9-945c-5b59164d68b8} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 4076 1dbefd61f58 tab
3⤵
PID:4188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.5.2124517211\861411451" -childID 4 -isForBrowser -prefsHandle 4312 -prefMapHandle 5040 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5842fc5a-2f96-434c-a9c3-7547fc59e3e1} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 2840 1db81877a58 tab
3⤵
PID:3020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.7.2007509273\1127415353" -childID 6 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a1745f5-ac24-46f2-aee6-2dabedfa1ca3} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 5292 1db81879858 tab
3⤵
PID:1652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.6.998319976\244894650" -childID 5 -isForBrowser -prefsHandle 5084 -prefMapHandle 5116 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f537ef4-3cac-4839-bb37-5d8dfce55778} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 1664 1db81878658 tab
3⤵
PID:2572

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.8.1194022435\101860351" -childID 7 -isForBrowser -prefsHandle 5796 -prefMapHandle 5748 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {928f8090-3c23-433a-981e-30e3f0d3667d} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 5808 1db86b81458 tab
3⤵
PID:3856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.9.1611486846\1850728537" -parentBuildID 20221007134813 -prefsHandle 4548 -prefMapHandle 4824 -prefsLen 26770 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0490db97-d191-45c5-b679-3c0857174b17} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 4980 1db854ed858 rdd
3⤵
PID:4892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3164.10.11074302\1944806425" -childID 8 -isForBrowser -prefsHandle 5684 -prefMapHandle 1480 -prefsLen 26770 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ce762ee-9bab-4432-92f8-79d8f4d23d69} 3164 "\\.\pipe\gecko-crash-server-pipe.3164" 3428 1db85d08e58 tab
3⤵
PID:3308

C:\Users\Admin\Downloads\SteamSetup.exe
"C:\Users\Admin\Downloads\SteamSetup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3936

C:\Program Files (x86)\Steam\bin\steamservice.exe
"C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:840

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
PID:5700

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=2332" "-buildid=1686779606" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" --enable-media-stream --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--disable-features=SameSiteByDefaultCookies" "--enable-blink-features=ResizeObserver,Worklet,AudioWorklet" "--disable-blink-features=Badging"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1976

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1686779606 --initial-client-data=0x370,0x374,0x378,0x34c,0x37c,0x7ff966eaf070,0x7ff966eaf080,0x7ff966eaf090
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5840

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1664,3234476743942637170,5097395693974859337,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1686779606 --steamid=0 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1672 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2196

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,3234476743942637170,5097395693974859337,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --lang=en-US --service-sandbox-type=network --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1686779606 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2172 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2160

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1664,3234476743942637170,5097395693974859337,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1686779606 --steamid=0 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2536 /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2536

C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
.\bin\gldriverquery64.exe
3⤵
- Executes dropped EXE
PID:4420

C:\Program Files (x86)\Steam\bin\gldriverquery.exe
.\bin\gldriverquery.exe
3⤵
- Executes dropped EXE
PID:5376

C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
.\bin\vulkandriverquery64.exe
3⤵
- Executes dropped EXE
PID:5348

C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
.\bin\vulkandriverquery.exe
3⤵
- Executes dropped EXE
PID:1648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4596

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4836.0.1751208733\1978147446" -parentBuildID 20221007134813 -prefsHandle 1644 -prefMapHandle 1636 -prefsLen 21062 -prefMapSize 232767 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15713b29-3a18-46d8-8e34-380c47c97603} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" 1744 2739d6e8858 gpu
3⤵
PID:3680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4836.1.723361214\1188453378" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21062 -prefMapSize 232767 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c29b72fc-511c-41f8-93f4-89debea67671} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" 2160 2739d23ed58 socket
3⤵
- Checks processor information in registry
PID:5832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4836.2.2114058892\674938249" -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 3128 -prefsLen 21523 -prefMapSize 232767 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c90c4e14-146e-4ee7-af86-21aa9fa3cfe8} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" 3140 2739dd5ff58 tab
3⤵
PID:2424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4836.3.202170715\1729029316" -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3440 -prefsLen 26883 -prefMapSize 232767 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e76dfa5-85bd-4472-86eb-7268663ce749} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" 3448 27390f62858 tab
3⤵
PID:4540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4836.4.1600698655\592225852" -childID 3 -isForBrowser -prefsHandle 4516 -prefMapHandle 4520 -prefsLen 26942 -prefMapSize 232767 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {675b24bc-e7fd-4b49-8ed7-dbf5b88b4c59} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" 4500 273a2e83958 tab
3⤵
PID:5872

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4836.5.1779889624\934165749" -childID 4 -isForBrowser -prefsHandle 4928 -prefMapHandle 4996 -prefsLen 26942 -prefMapSize 232767 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ff74493-6fea-494f-aa5a-16d08a836e42} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" 5060 273a425c958 tab
3⤵
PID:3124

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4836.6.482081534\1646050597" -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 5176 -prefsLen 26942 -prefMapSize 232767 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0294f8c-8007-4ee4-a8a3-dfe22d837e9e} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" 5252 273a42d2a58 tab
3⤵
PID:5208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4836.7.958626557\1283151535" -childID 6 -isForBrowser -prefsHandle 5152 -prefMapHandle 5156 -prefsLen 26942 -prefMapSize 232767 -jsInitHandle 1196 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {771e044d-3043-4f65-9f6e-f0f5997301f6} 4836 "\\.\pipe\gecko-crash-server-pipe.4836" 5108 273a42d1258 tab
3⤵
PID:4820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1824

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4e8
1⤵
PID:4776

C:\Users\Admin\Desktop\1d381bb52634f826.exe
"C:\Users\Admin\Desktop\1d381bb52634f826.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe
Filesize
4.1MB

MD5
b4411620a3551834e4f699cc5a9b27e6

SHA1
5093960cc86613e310d13770b5adef00fe93f3eb

SHA256
3caf4a246169b2d30c6bf18fa0b7a4a01bbe933cfb781f3da4c6b3cb67b59d04

SHA512
47dde07212c2d5eea548d7794fc6bb9d86ced9a0848aaeab81fa8844fc5cab7eac58e386e96a81c663b914c85c0a7116033e2b2cfd18559d40aa6c83f9a6c024

Download Submit
C:\Program Files (x86)\Steam\Steam.exe
Filesize
4.1MB

MD5
b4411620a3551834e4f699cc5a9b27e6

SHA1
5093960cc86613e310d13770b5adef00fe93f3eb

SHA256
3caf4a246169b2d30c6bf18fa0b7a4a01bbe933cfb781f3da4c6b3cb67b59d04

SHA512
47dde07212c2d5eea548d7794fc6bb9d86ced9a0848aaeab81fa8844fc5cab7eac58e386e96a81c663b914c85c0a7116033e2b2cfd18559d40aa6c83f9a6c024

Download Submit
C:\Program Files (x86)\Steam\bin\SteamService.exe
Filesize
2.7MB

MD5
2de3f7cf6020b3bb6bc4199459a63016

SHA1
8a30e5e333a353eb069ab961a4c1918fcbb44623

SHA256
f649f4a1d41cd442d5e3f079b1677442a2123eb494bda58ef866870b25915d7e

SHA512
5d1e016c731dd1bfaaf24fde9da4f453f71773a71db956290809eb82064fa0307874cd412be6ad98c4fdbb36e94cd8ae7aa27341aaa1f9f3f9e696afe0cca56e

Download Submit
C:\Program Files (x86)\Steam\bin\steamservice.exe
Filesize
2.7MB

MD5
2de3f7cf6020b3bb6bc4199459a63016

SHA1
8a30e5e333a353eb069ab961a4c1918fcbb44623

SHA256
f649f4a1d41cd442d5e3f079b1677442a2123eb494bda58ef866870b25915d7e

SHA512
5d1e016c731dd1bfaaf24fde9da4f453f71773a71db956290809eb82064fa0307874cd412be6ad98c4fdbb36e94cd8ae7aa27341aaa1f9f3f9e696afe0cca56e

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_
Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_
Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_
Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\textinput\drop06.tga_
Filesize
244KB

MD5
c7afc24e396da59a4ef402ddd2ccbceb

SHA1
dafbca40f8420fdf6c426fa6a3f0f6a43fb493d9

SHA256
996cd2d01542cec922c384708dcbfc8aee8773333ebda9a398f0236675f129b1

SHA512
013ff1f14b8c7214c88e42cf5d270324f4bbac6bf6b5eafa7dadf8d658c0eaa97a52f326df62867dab7926e8edbcb5bac89a0e675c57de5558f78b1bce313ef2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt
Filesize
4KB

MD5
8ebd46495dd3b4ab05431c5c771d5657

SHA1
e426214322a729faddb5bc80053af5750c76683b

SHA256
70c39d5d5b16640165de19cee80da4a391035108cbc5f5009372a86954f0fe92

SHA512
53afd923f583eda4db580935a8cdd62413af8e830c04f2c12d15c55e905c114ec11a5e4483660601504c27e9350e9e47c6432f8f699464e11c5050fe846d7dc4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt
Filesize
6KB

MD5
239c03a3dc1c27993da724736d086cef

SHA1
ff88246f8ea3502873dcbdc622378f006c58a2e6

SHA256
b387e2fb971297d3438acca130c53dfdd202ae2ca5b52d6503333734cda4fbfc

SHA512
656922e8f2dec46ef36efba5c85088c47b02e89f62b27559611fcbe6ef85c6cd8462a4532e2d2d7f4faa977ab24f0de6f5f72e3075f8889db9e6e60baa162a32

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt
Filesize
4KB

MD5
6def4d3cf1453d5fb69d22fca29892a4

SHA1
09fe62653e55668de75a9fc5b64949ea81eb4991

SHA256
60c29f3c57c44c58daf69be797bfede31967b1ddfc9bb68cb7ddaa0acda67c8c

SHA512
ee4f3f5dd8a8aadde9cff8f8aca8a45fa419c36fd8a4a7d3af9b71e1f7e5d9e1d01c329c70e6da53238822b536e35224e55004bf2e1af4ec17d5b56ccfc58549

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt
Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt
Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt
Filesize
4KB

MD5
2fe6613e267857982d7df4368c9827ec

SHA1
d520c7427b283e3ff167b850ab15352e46d328d3

SHA256
2eba5f3f0b0dbcc2cd69c36c220a2355d1ba3cd67b6e25b5846c80e1604bcac0

SHA512
cf2fc8978adf54dce5700eda7d8beb4917c89bf5458131171eab95463e1b3a3315770f4baae07e498e8e36a8478f09e27054ca2d06b4542c86d8459360572be4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt
Filesize
4KB

MD5
594be5b10d9f551e551cf20eae0e6dfc

SHA1
191c20f5cb0c27ecc5a055fa2379694f5e27a610

SHA256
e350ca62e777da4da6d25885be96d48e7ce3acf021a74f2a4902354a1bf03fbb

SHA512
e27bf6593a177c22e16ddf5a44d82b34b02063645a7fd63943b936028d9c433c89628038768a300c296c2d3bcab2ef6b8532a19f7283952d041865c704f62b0b

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt
Filesize
4KB

MD5
da69785dfbf494002f108dd73020183d

SHA1
34bb6061cdf120e7dced0402e588c3f712cf2dc0

SHA256
8cce22e7f13486f2bc612dcc8fa31d81038e6084a350fa10299d40c3a7f878c8

SHA512
db773783b63ed1d66a59272e05304c174b69f85d2838ae8049dffed6b6b30c2011fd9042dd652f9a1733a2b6891870b426cf1985d41921e5360c9b1ae1330e20

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt
Filesize
4KB

MD5
395286db3e67a59868e2662c326c541a

SHA1
716014d76622612a1bde2d4e1744d024f6d0b830

SHA256
02e48ee4e10354a2b2741d2e57ef565404753779f847906b5ae5c98ede06c01b

SHA512
64cdf1e6701ea57474051e338eee74859fc0ff4acd71ee0718a9b8cd698e94a9793c1901b6791fc0fc268c53fbc1e7e2f94ac1024f3f8765bf713954c194b0fe

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt
Filesize
6KB

MD5
b9e30df8cf272813b121133fcf259752

SHA1
16706f982f16d5feb9c808f94b8cfa50c23f5d80

SHA256
88919d7be26fb3e06401fc0254733d92fd743ecc56da4177b41613e1f094c3e8

SHA512
7beb65c0477b02742741a8ce23557f4f15e8cf1b1ef03a6bbadbf594bdf2cd686d7356d93719111d27b309a10ca75846765a13bb3eb4d0411785dfb13a675fc4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt
Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt
Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt
Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_korean.txt
Filesize
4KB

MD5
d75580775d67a85353189736222a8878

SHA1
ccb2275c8f5d119640064fd533ca15f30d93f331

SHA256
10720923c1048502c5191d6d1d8580e35e707b24d457941dae94a87371af989a

SHA512
757dd94a1e3debb2520855a3d00e44e3a98b5764caf9c16c8d088fc1a1f1024eed742f1051635721f4bf2c00d1dac11fd975c09a7f5df78d1863de88f9bbf9fe

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt
Filesize
4KB

MD5
d75580775d67a85353189736222a8878

SHA1
ccb2275c8f5d119640064fd533ca15f30d93f331

SHA256
10720923c1048502c5191d6d1d8580e35e707b24d457941dae94a87371af989a

SHA512
757dd94a1e3debb2520855a3d00e44e3a98b5764caf9c16c8d088fc1a1f1024eed742f1051635721f4bf2c00d1dac11fd975c09a7f5df78d1863de88f9bbf9fe

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt
Filesize
4KB

MD5
7913f3f33839e3af9e10455df69866c2

SHA1
15fa957d0a6a2717027f5b35f4dbe5e0ab8ece25

SHA256
05bc1f4973c6d36002ac1b37ce46b1f941fcb4338282e0ec1ec83fb558d1a88c

SHA512
534e541757d19ee157a268bf7ea358b48015f400542fcfa49cdb547cd652926160f015fe2cf026d9c4996e56ab90ca3899dfd457997d915bf6bc9d7bb00ba804

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt
Filesize
4KB

MD5
5462f47e56b978659ef56f196db013f4

SHA1
4749824d4e909369f59217d4980963ff17353f3f

SHA256
cbfbe91d4a4661df814ea447c03f4ca872ef3e27073a1eb746faccbfe75afc8a

SHA512
5a437968fc06619cf553ced32dba9c7c948f4364f02c8017986e9a4f09e9832b849c7e0567485ca1beba34a258d29b2612ea3ed6045c81777e9a5201139f81a3

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt
Filesize
4KB

MD5
9b0b0e82f753cc115d87c7199885ad1b

SHA1
5743a4ab58684c1f154f84895d87f000b4e98021

SHA256
0bdeee9fa28d54d384e06ea646fbcfe3f06698a31dfdc1a50703ffe83ad78d32

SHA512
b7780b82fbe705bc8e5a527c011eb685c99ef0b2eb810617b9f82b891341af95ef1c2f46dce9e458c0c4dcc3e7a0d21db6c77f03419cd1c4b521a9b72f9017df

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt
Filesize
4KB

MD5
eb8926608c5933f05a3f0090e551b15d

SHA1
a1012904d440c0e74dad336eac8793ac110f78f8

SHA256
2ed2b0d654d60e0a82b0968a91d568b775144e9d92f2b077b6da75f85ad12d04

SHA512
9113c42c38836f71ff0cc7019aff8c873845f47fbf1ab97e981cb038f4d8495b6df784402b1ee9666e8e567ae866b0284c81e6a16efb47131d5ef88569c4843a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt
Filesize
4KB

MD5
31bd3d4d8de5af4642b21d586d5ee54d

SHA1
552bebb93c71cd8acd72558db1810530909fb276

SHA256
52f256ded29ce22945b5bc0ef7a227189dfa91da69265ec13283a7067c239071

SHA512
cea49fc70b18a1294ec7e564ff7f4d1ff7efeb0db1cf1b088da6adcecc282569380f225e9a150d1666c5c1977ba4de0a5d9d667c72cfb8569a50546b978e9132

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt
Filesize
6KB

MD5
e04ad6c236b6c61fc53e2cb57ced87e8

SHA1
e9d4846b7e6cc755ee14a5d3fa45ee7d3bf425a4

SHA256
08c775efa77c2a92d369f794882e467b6e2526e61bc7aa7724f48e174524502e

SHA512
0dfb7e6d811d649103499018f3d115c542fcaba420ceb69124a4d837fe162ce514e7be2040860c5ef5f9c01c961fa6eea8730606b73ec107d87597989b6fd331

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt
Filesize
4KB

MD5
56dcf7b68f70826262a6ffaffe6b1c49

SHA1
12e4272ba0e4eabc610670cdc6941f942da1eb6a

SHA256
948cad1bb27109e008f2457248880c759d3fa98b92c5b4033b94f455cb8ac43f

SHA512
c3fd9caf0bd4c303a7cc300faada9cfe6dd752e82d67625b31f4c0c2c091596508bb477fe19f758fdf79b25b8ac3f5320a8785d2b6705b9bcc28a054a59454e2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt
Filesize
4KB

MD5
e9b8fccdb78bf9d275b79c75b2ff3e7b

SHA1
4b549411ed4db0f0a3699e76531353c226b06a76

SHA256
41ecfe0ffd6043a66a41bf9ea032712f2d1bbc19b434c6c666a107ee379f21e4

SHA512
4ce905a31f3a410712722271abd7e0a9a6c43646b61a321912b4a8e8f6fab68ab69add1d701c501bb069b8ecb65ecaf3bfa9be983933d0234a8c81c24bc6601f

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt
Filesize
4KB

MD5
b2248784049e1af0c690be2af13a4ef3

SHA1
aec7461fa46b7f6d00ff308aa9d19c39b934c595

SHA256
4bf6b25bf5b18e13b04db6ed2e5ed635eb844fc52baa892f530194d9471f5690

SHA512
f5cee6bba20a4d05473971f7f87a36990e88a44b2855c7655b77f48f223219978d91bcd02d320c7e6c2ec368234e1d0201be85b5626ef4909e047e416e1a066c

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt
Filesize
4KB

MD5
5c7bc92e0d948e3bba3f26f64a22fe7e

SHA1
bd259397a312bee9b8262058c30e0e354eeea93a

SHA256
5e6b0978fe8e2d14905f46e089b06681d6dfe76dd0c1551c168171ac4de75969

SHA512
8a6e18ce3d38a9658172b1871255a9941c572114137e468f130956c73ff13f282a46074a1dda6404dbdbf317ecdaadf01324194b8f8c081f862037784f4946ba

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt
Filesize
7KB

MD5
1a537a1d30fba1d3db449a9207b63835

SHA1
ab6903b4c8d6bd3571960b1218714b8d76b1880d

SHA256
49b6b664d50a1ae0c732bcfbbdd1db1812ddccf00bcf5f40200f0e7cff5542ee

SHA512
1215b0d017a6e3ea207edafe8edd500a91a7a971b2f989d8006fa65e475ae32ec00df3e8ec06b4077f64f5b789c536bfb9d8b9945ca0e0731d68e48876bd8459

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt
Filesize
4KB

MD5
29f9a5ab4adfae371bf980b82de2cb57

SHA1
6f7ef52a09b99868dd7230f513630ffe473eddf8

SHA256
711675edb20b3cb70acf6cf75f2eea8e0d87c8ace3e11c8df362b4517427a34f

SHA512
543fe63f791250e05e8fda24fd2ceadebb4c8925e8927de49ae490895c87eed3e61a9ad50237532649f99fe3165836261de215ee3f66ffbfc6d677ddeea7732a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt
Filesize
6KB

MD5
cadd7a2f359b22580bdd6281ea23744d

SHA1
e82e790a7561d0908aee8e3b1af97823e147f88b

SHA256
3dd0edfbe68236e668fb308f92fe7c6493dbb05bfca85a48de93588f479ccc99

SHA512
53672dd13e6ccbe96f6d4a61297c595b6d6cba8de92caa51ccf8ab1d8a82eea5a425eab348f295b9ec27de0026ef849d9230f751a46e040be8863923f91b8519

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt
Filesize
4KB

MD5
f8a86b74ce3b446e3111d1480b5feaf7

SHA1
af21c55fd6ac99e65db55af9b8f4ffe790c4382c

SHA256
8a049b6126e904dcb9ba5d8af21cc0ab25ca55221cf2cd48eea45504fe23083b

SHA512
70f8009f5940b10b77a6c152c8c73f3dd425fb9ac917014504e8116ef00032888de686271e0262cbe7a55c6e605e837dcfbeb54ece71e49646b1030195fa0845

Download Submit
C:\Program Files (x86)\Steam\steam.exe
Filesize
4.1MB

MD5
b4411620a3551834e4f699cc5a9b27e6

SHA1
5093960cc86613e310d13770b5adef00fe93f3eb

SHA256
3caf4a246169b2d30c6bf18fa0b7a4a01bbe933cfb781f3da4c6b3cb67b59d04

SHA512
47dde07212c2d5eea548d7794fc6bb9d86ced9a0848aaeab81fa8844fc5cab7eac58e386e96a81c663b914c85c0a7116033e2b2cfd18559d40aa6c83f9a6c024

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\activity-stream.discovery_stream.json
Filesize
153KB

MD5
12f0343ff42fcf6df3b96041aa150b6e

SHA1
327c3e99714c261161f1256c2b708c3d25b6d8ac

SHA256
c4636e411e9d6c8e6f537a384dd05c239c2fc665733e2125c48a3cf5ae976bfe

SHA512
e613393ab78064dc32a3a64c93a9d6f529b069ccae8ceff993c81bb92018240b76eeb159633845466349b3a476536c132c9ae9906776047544db6dfbffea4c66

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\activity-stream.discovery_stream.json.tmp
Filesize
153KB

MD5
b89aa013d506cd2a985c136c5aa77d13

SHA1
c36fd1d74cfffc7535296b8d56b4066c2e5954fc

SHA256
3af830195be531db138b6fff3f1e8efcf0a952d467ed24f0272149d59df3f9c4

SHA512
82f272fa75abc4de6126d08f6139e63b33bbc9a31e573e5202b049c6864b08e0669802a968fed70f6f5b8a668c4e32cead47a2829ab92cb4bdfb8df9fd842571

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\activity-stream.discovery_stream.json.tmp
Filesize
153KB

MD5
4a866994dcf0a7570389d21e5d3bd260

SHA1
42450bf3aa38ea7c6e55aab1a17fbd379ffdd528

SHA256
469024fa885820eb1f6beba5a7f4d3c5224033babf240afa0baeeca600240f8f

SHA512
2e86ae3921eb223cdcecdeb612db46edb6802d6ae9a969bdd762e74dd5d53bead365fea3db40e4d4bb2a55c5b27a6b00380335a9cd7493b94533dc90fce771d2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstore
Filesize
10KB

MD5
778d899eb7ab4a01a12be0d714a9fd93

SHA1
7b1ff37ca88adc84b1304e459d870b4aaa596d75

SHA256
cbfcaaf675e78565519e1e98b936789402518a3877054e3480342aca743875ad

SHA512
aa8fdd29da623d2ebfef61f0a9dad77b7f09f8287026b5b8b5686d883dc7dc2a20d1046d7b56af0db659e74af6950562b2ba7f75e91c44d9392ba043250ff3ce

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpset
Filesize
315KB

MD5
a4b619394319b31019daa7901762b66c

SHA1
e24bdc3168cdbfc55ec23864180804e3706bdaf1

SHA256
a2dbe40673d52c90b8f524738ec7439c74910a319154ea9868800f662135d097

SHA512
fcc2200362eddde536ce8106cc0d0dcd576a0d14ab54ef8fd4337954d753d23e2a954f3cea31b666f72d8aea52c4e017594afcc1fd535e0ae8de8ca822f5bbe1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\startupCache\scriptCache-child.bin
Filesize
464KB

MD5
5b6d9966d20791c38f3948d133bc4014

SHA1
e033078a3e395fa5ac0c24c92ba9e0d2f9129887

SHA256
181aa6dae48c54c9e5324f6810a4bab386f426d6d90d69f3c99fd03edbb77fe4

SHA512
568ec26dddb29f09c182b16af91f3b908e2890e1c3261547b70550827633719047ca0d7fbc0d2846c7bb1da1ef1a3ee278b4073567348d5d8e02417c8e439d88

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\startupCache\scriptCache.bin
Filesize
7.8MB

MD5
54bc82d641b8c1e51c64803691371999

SHA1
0e5666c0643848a6f6dc1f7217f197ea06ebceb2

SHA256
205617ed1b677154d1a3c856f816b552f85659e84140bec9a563deb3e8c3b67c

SHA512
ab830aa5cc9a9e4493a244a33ec7b143b8135a1e00029866ad0a3c450de152a5fedc80a165c2b2341d673df8c7f2774578360e83788a01338b67f18b019a7d8d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\startupCache\startupCache.8.little
Filesize
2.2MB

MD5
bfe5ad909e74328b63dd6ce76238080d

SHA1
6d46dafaf100100e2f176b190e9ef8040bc9baac

SHA256
f0029cad90f28514f1b0b2e92d3643dd4a001d8dc308b23f8f3323a46553611b

SHA512
312aded91f09a3b9e4bd4fb70abc2736d46cb97819a52567f711b9baa9c587912c06ea306cc968a1f616f0e4c45cf54330fee79da1fadbd900fc283c2d5ff0ef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\startupCache\urlCache.bin
Filesize
2KB

MD5
833fb3d3c1dcd1adc9e210db623a7255

SHA1
857a9bcfbad26146c72ee6fc794f9f8753297432

SHA256
48f89fe33212caaedf293d2bc1c1e89e1ef62782ce3c2bc529e4a2c5752718cd

SHA512
0a4e7a3289c21001a78f118d408797123c5fbd7661d637f90e8951b77dccb0a75160b3a7f9433b0b3db1b1e0bed1ba9d0a9dbe603655b9949ab43d9ba443500a

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
9997a3b23012ece48651fbba2c517079

SHA1
08b540edf1ba01b9fbaa33b0dd661776f3946b6d

SHA256
094fdb15010986b49ba37b0f8e27e86dd528e72fa1654100333f95d9864ed15f

SHA512
153f26eb9d4f03a7ec5edb52f7691ed63c3ccf9941056cd7bec47a3c62216caccbc67e408a8c7fd96551001b607d1ad4bb8f75043cd3861ceb96d723de482378

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index
Filesize
240B

MD5
71014f844064bc5e22f5fec21b13ab9b

SHA1
9d0aef4cf6841e4b7651c409016304cbc7dea92a

SHA256
9d8dbf70c67e39914ace0506a0147ed8a7a6d7e0a919081ab734f99e0b2bdf83

SHA512
b71425860017af70baf5b2445e73245ba8e46d08cd7c3ec3dfe1cc234e770e4b315113340d70aa7e43e296d65bc62a65a03b0f9d60256e4ea79e8dc6278c8596

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network Persistent State~RFe588b05.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\StdUtils.dll
Filesize
99KB

MD5
98a4efba4e4b566dc3d93d2d9bfcab58

SHA1
8c54ae9fcec30b2beea8b6af4ead0a76d634a536

SHA256
e2ad7736209d62909a356248fce8e554093339b18ef3e6a989a3c278f177ad48

SHA512
2dbc9a71e666ebf782607d3ca108fd47aa6bce1d0ac2a19183cc5187dd342307b64cb88906369784518922a54ac20f408d5a58f77c0ed410e2ccf98e4e9e39a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\StdUtils.dll
Filesize
99KB

MD5
98a4efba4e4b566dc3d93d2d9bfcab58

SHA1
8c54ae9fcec30b2beea8b6af4ead0a76d634a536

SHA256
e2ad7736209d62909a356248fce8e554093339b18ef3e6a989a3c278f177ad48

SHA512
2dbc9a71e666ebf782607d3ca108fd47aa6bce1d0ac2a19183cc5187dd342307b64cb88906369784518922a54ac20f408d5a58f77c0ed410e2ccf98e4e9e39a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\System.dll
Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\System.dll
Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\modern-wizard.bmp
Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\nsDialogs.dll
Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\nsDialogs.dll
Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\nsDialogs.dll
Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\nsExec.dll
Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\nsExec.dll
Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\nsExec.dll
Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaEF58.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\SiteSecurityServiceState.txt
Filesize
504B

MD5
53bacba121494edc98c7a41dbc0af369

SHA1
c9730aded4810b3a33ad8b6150eaa75511d6d4b1

SHA256
7f7b90697b565c7e4663f0ac14ca974a905b48ad3fd848132ef9dd7d3a9936e0

SHA512
0c94b5cb331901a96d73162ae33335aa8d0d4b1dee7447c8d709b16ec6b29ee762eb1a3685b820c7a82cdafc59c8be8bad4b90a8d3ad1b296b4359b1b1a75690

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\cert9.db
Filesize
224KB

MD5
a8664f76e7fa57e3fe330d73ec295c00

SHA1
01e493ed0cbbe4b184dcd685b0cb362c832f0a33

SHA256
7fb41fc86a423aece6f176d847ecdae8eae79c68118d83927a7b56326a4f611a

SHA512
32f9f768e429b432552f597e329944eac521f0ed9f91471ef0a9d6975cce7e989d97df40d6df48573da1ff94876e418aafddfa97e5cd302a307d20f70ca604a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\cookies.sqlite
Filesize
512KB

MD5
11b944956a784a66110769131c8e6299

SHA1
00263987f700273ec0a09fb90f6eeb8b39e46b4c

SHA256
88eddef3afa2ceea0773be5de03e5e4da07290277cf0ec392e6e77000f277d2c

SHA512
53dac2cd9a5779580d18c1a064f451d6090a252f1d4b21479a910c21e9ecf23f784ff666a081cdf82af3437575bf024aa6445569936dfcb940c705504492806b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\permissions.sqlite
Filesize
96KB

MD5
58a28bc131e3ba62a7257c775d8d21be

SHA1
4e1013eb4138b0871f7ec50f72fdf896f56c6437

SHA256
7934def7a4821264dc3103aeaf3965f17f9471b190c1dea80bf981e0d00d797c

SHA512
9f4a77a866441c6fbadb559bb4cb5d878622f129775ecea781917229995fe16a501567b1cebf6c0bac1ffb2f4715fe8381dff8d7025b2ba7afb6775fe500cc20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\places.sqlite
Filesize
5.0MB

MD5
d5ed33d6beef0da0f2134b2d7abbb52f

SHA1
3a205a8bd5c856e12b7848bec5c6aae8f5b6c6e0

SHA256
9bbc76e8db1d51bb91c54ccf2d8e23c08d3b0114639a22ccf96bd00dcecda0ef

SHA512
74b24cb67d0cb6f96615972e883b3f9b19af07183677cd48fe854858bd2d3119179e9e61305ef406132923d8f9165a99fbf5418c8fcc1815b396274e4e11c8e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\places.sqlite
Filesize
5.0MB

MD5
c1a717228e586849b504c6997582b808

SHA1
faa53f161f6ff032211603bff804e81782db1d33

SHA256
52ca9816f97ba9213bfc3a707a7faec94b056b86db0fa22ba34f7077fad5ef70

SHA512
9a5f97bd775e17dc54a9d02a46fe54a059d9461d1ed8ceddd6430c68f92d64eb97a404071247c1e7702cc96576d752c1c7eef05b33231fc4cda9feb776912c4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
Filesize
6KB

MD5
0c4efaca0e783930b75e1be78629d752

SHA1
415a82e2192b71b07806490525374458a0fa9019

SHA256
af0479f79fdbaae7f3877ce3aaa19c9b011833631391a88270c88c446d53adf6

SHA512
1af448071f27c46df9c865fcc891a7cb57a50c9e73ea361103df24a8c779ef86d80be6aa0b7141098499974cc286c132da8371f4173319c6552ce4a8117f9238

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs-1.js
Filesize
7KB

MD5
60fa8b5f915aef522a6db9fa3c5937d8

SHA1
80b805a1cafa3ba3bd94c33560958706939d6429

SHA256
86b13395e8e0c261a24b290784ea834afa13e243ee1b58c0a8b7bc34cb3c2688

SHA512
dc29a88641125d33083ea498436ade3ee4c5e321ca068fc51b4dd55ce0fbd29f1ad5ad00d5eac577a6a3b6f14357a16fdad954f20879f75d4f75a6f7cd1805cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs.js
Filesize
6KB

MD5
7b859414cec50e0976ce812652d0896c

SHA1
04a988de5c916a9e2ef2fa8705498fe54fa9a91f

SHA256
91c8709eed25ce73a951ddac0c1f9e6a990e3a7fa0b39281cab607144c780110

SHA512
6aba269baa69b5c125d86d5ee33f36729ce8aef11a99651c82fffd9e51dbad1332c7713dda0418578a9863ca06431de24a9f825b0c5fc866b426dc3c39a1b1fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs.js
Filesize
6KB

MD5
f3222f988ada31f4310549098432cc25

SHA1
24688864f8ef80a989527cf7ea7d635547ce6d82

SHA256
afc8930a51d6a425ea6919aa0530af5b03c15b761495b89ad35a73a363d0cfa6

SHA512
58506462499ef0743cf4dacec8771ae985cbb3d61aa9e5c510f00016374bed7092cdc6bb502dac4673da470a314f7e57944f4ee92d9cc7b0363bdea661a64e45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs.js
Filesize
6KB

MD5
cf90495a65e9a48427cad0165c611623

SHA1
7406790d3cc507af1339fba12f4cfd1b84a6ac4c

SHA256
16e7d165cfde5ebc5643d35fd268ce83178431fa7a78b72ee3bf234ab8924a64

SHA512
0bfd0bd327821d6a8078a420137ea2deaff944b852edeb06b524c0e212d3fec34a88628db3f981dd00e681803ade09d4096e3464fc8fed9dac7ed50c7a4a20a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\prefs.js
Filesize
6KB

MD5
decaaa8434c4b4369179f7caec24e285

SHA1
9a22c78337c429c3584328ac63e8ff8e4b57b7d2

SHA256
446a5884b55318e22a7cfd5bc6d018bcddb191381b9716fcc69f0ad64f12d170

SHA512
891153b84622173e6b9ab2c1341750ec132d4025a63be083740c17ff148644f0db00a7099b7477bf50b39ee509fdb325842ea9a15e11ef667573840b0cd6f63b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\search.json.mozlz4
Filesize
296B

MD5
033eb0645837c8b618a593f7b9a72642

SHA1
cf4c2e7ccaa275ee47cdd945a7bd1f8b57c61172

SHA256
3409fd08295094b37673d748a0374cf0afaecf1671188b2ed012626cad67a582

SHA512
27dd0743306b0845c06b3be3e3ae2f515777dced4bbf91a4864bb95c5873e2d6351d99be36d4762a2ba8262130c6d139db3f4f5272afb8717e02b09c1e39c2b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionCheckpoints.json
Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionCheckpoints.json.tmp
Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionCheckpoints.json.tmp
Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionCheckpoints.json.tmp
Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionCheckpoints.json.tmp
Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
42KB

MD5
1199c303af0d30581393dd2c7e025c64

SHA1
47b651c1665a688c82817630272c4448fff5f765

SHA256
d250c4edf958165184ba67bb9da4f73c6c697cd818dec3abeb274ef8c86649fd

SHA512
b5cf92d8ef84e64095804179eda453cfc2b0761a8897c66979b907bd1ada7e2370f9abaa539078a385e8b5b6748eea906f812d48a68355207d7d3f184a25ee44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
43KB

MD5
71acb6eae0fff356132907af2946c464

SHA1
682c19cb4dbc0d68077624b2c3c1b56fcf0d9938

SHA256
5af988a70abaeea9340d337ee12c320982f56061f91f05d6e2203f232e459d89

SHA512
c5b821b75a5fb9b5fcf33b3f36f5784ee3ad6d5b79cc8df5e6c42366557e4cf00f4ab0ef2361e749e455adada008c1840d997cde4c975b378d2fb25b60132f51

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
5a4b4b0c92ba23afe9b93277dbec76f7

SHA1
0852df17d85f04fc0237209730d3b7cacf3aa65b

SHA256
e9ef1b46767db44b6f8a6228d254432f262d0db7eaf981fa14dd95bfdb177121

SHA512
16b812faca15dc447eb18559f47d4ea5ae0abf6230dc3ed17fc82557cb8e86ab2b07db6ee9d7c2dcbc1fb5bc440cedd55d021fc0d848a47e42c854d836e88faa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore.jsonlz4
Filesize
43KB

MD5
2e1944e6505fb93f350277b49e6d5c7a

SHA1
dfb5fa67b74f57f41cf0a5e5724e1e06dbfa09ed

SHA256
86073f669ca86d32e8726a3b1973a2f62de1d7165037827ecc76ea2adde92d51

SHA512
8e15dd56d53782d6dbbc23cea904703c7ef591ad05d73c290841ba9afaaac6097cc53bb041baa5279b9322e0fcb7e57ec934a87a619c304bc5dbb6bebf815ba0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore.jsonlz4
Filesize
43KB

MD5
2e1944e6505fb93f350277b49e6d5c7a

SHA1
dfb5fa67b74f57f41cf0a5e5724e1e06dbfa09ed

SHA256
86073f669ca86d32e8726a3b1973a2f62de1d7165037827ecc76ea2adde92d51

SHA512
8e15dd56d53782d6dbbc23cea904703c7ef591ad05d73c290841ba9afaaac6097cc53bb041baa5279b9322e0fcb7e57ec934a87a619c304bc5dbb6bebf815ba0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\sessionstore.jsonlz4
Filesize
938B

MD5
3abe7a954ff0b55f7e08f6517a7d50e6

SHA1
50eb159e3ee1c42a47f17371f75d659f31c08b41

SHA256
cbc5968545e859efe4a83d6aaf856f61e38fa71a4f5275430d94d5b1b91db47e

SHA512
d8089f8044536823146f82db07a7b93579e72b1c5b70247dc2efe907f022efe8412e3be857aeb06a16ae92b7ac4cfaf65fef5337efac7992e0f304a5ec8d840f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\storage.sqlite
Filesize
4KB

MD5
3ff48f2cb4aad772a8f45f5dae18b3b7

SHA1
5c8cbab7a85ca7086f843acf44d48d21acf23725

SHA256
0bef9744a617d75287a6460be1d82e23754700cfa6eceb2effa04c91fcc178da

SHA512
dc9025840ebd588e8f02d39f35148faca8cd3c4ec6e731ba7e108f4739165e733ec684f7f43321ed31cab93678a90b832c446b078e7b1eb84e7b3fdbce28ab77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Filesize
48KB

MD5
15cb7a841c33aa3f22a12e2ce08a627c

SHA1
9fcf68e5f64886170fdf2b83dea1ac89bbaa0651

SHA256
359eada61434dc4ec2a4830414212a021d81dc5aa40fff936c700dcb656c3bb8

SHA512
3a93c5034e743f92d3c0548f79ce073d315ffce65d44e59ab8554b058db373a295510d6fed83a17d8a1df1840e3c311cd50a2d6400a5cdfda9f21ed0cd1d9001

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
4d38f3a6b6f2fffb36d8d954864781f4

SHA1
422161441abac6d6ce427e64052d2a641784e714

SHA256
68e3207b7439bf12ea54deab8b6c4df3be160fb5e4c46594d4df2d0bb9554623

SHA512
743f81d28e5f2be161e160d3cef09c2ab2ef6fb6b97a2fc53adf31e8e0973fc3b3a04a3b439be1506c903f27920fc7684e09a9f188a4f1525d87da7c0ddc8f63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yz6mdvpx.default-release\xulstore.json
Filesize
141B

MD5
1995825c748914809df775643764920f

SHA1
55c55d77bb712d2d831996344f0a1b3e0b7ff98a

SHA256
87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776

SHA512
c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

Download Submit
C:\Users\Admin\Downloads\1d381bb52634f826.xI7lrMde.exe.part
Filesize
22KB

MD5
b3c9f6cd71b0771375b9ae7a34fe836e

SHA1
024123081438e3ddae932e192965af95c8da2c86

SHA256
64fc10a7fde78979a9ef835fcc377b58c56f32e9050969dd27d2b961ee8b5f99

SHA512
472be8ca59d6835e7638e06c8e41c7203910d8855efc24d33805089a5825048b07dd77b15a726b8dcf9c34a7ef0d0cf8ec485668d9d94ee9abe79d26cf7fff2d

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe
Filesize
2.2MB

MD5
70f3bc193dfa56b78f3e6e4f800f701f

SHA1
1e5598f2de49fed2e81f3dd8630c7346a2b89487

SHA256
3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

SHA512
3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe
Filesize
2.2MB

MD5
70f3bc193dfa56b78f3e6e4f800f701f

SHA1
1e5598f2de49fed2e81f3dd8630c7346a2b89487

SHA256
3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

SHA512
3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

Download Submit
C:\Users\Admin\Downloads\SteamSetup.r_7zacMe.exe.part
Filesize
2.2MB

MD5
70f3bc193dfa56b78f3e6e4f800f701f

SHA1
1e5598f2de49fed2e81f3dd8630c7346a2b89487

SHA256
3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

SHA512
3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

Download Submit
memory/1976-17963-0x000002822F710000-0x000002822F718000-memory.dmp

Filesize
32KB

Download
memory/2116-18058-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2116-18057-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2116-18056-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2116-18055-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2116-18051-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2116-18049-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2160-17968-0x0000020B20B20000-0x0000020B20B28000-memory.dmp

Filesize
32KB

Download
memory/2160-18025-0x0000020B20B20000-0x0000020B20B28000-memory.dmp

Filesize
32KB

Download
memory/2196-17794-0x00007FF985E40000-0x00007FF985E41000-memory.dmp

Filesize
4KB

Download
memory/2332-17962-0x000000006F890000-0x0000000070B2E000-memory.dmp

Filesize
18.6MB

Download
memory/2536-17812-0x00007FF9848E0000-0x00007FF9848E1000-memory.dmp

Filesize
4KB

Download
memory/2536-17813-0x00007FF9857E0000-0x00007FF9857E1000-memory.dmp

Filesize
4KB

Download
memory/2536-17969-0x0000029AC47D0000-0x0000029AC483B000-memory.dmp

Filesize
428KB

Download
memory/4944-133-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4944-135-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5700-17788-0x00000000009E0000-0x0000000000E56000-memory.dmp

Filesize
4.5MB

Download
memory/5700-17782-0x00000000009E0000-0x0000000000E56000-memory.dmp

Filesize
4.5MB

Download