blackmoon | 7aa23742e590f27e0d74aec95b8f3535f96e2ff11dcc4688b0115811376aa786

Analysis

max time kernel
390s
max time network
393s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2023 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loadermain.exe
Size

146KB
MD5

b10b7412521eef4e650b401be020d6ae
SHA1

b933efe72da53ae34623dfc4c8402f355ebdf97c
SHA256

7aa23742e590f27e0d74aec95b8f3535f96e2ff11dcc4688b0115811376aa786
SHA512

abf50bafe9c012441c7a87ee1ed9557cd5575c6a5afe98593099ee046b36af696eb0435b590f182d21128030ce7e3eb9a645d01ea670ffc7785949d529b96d58
SSDEEP

3072:2fTD+he/t4IKjJN4OI1uGxOt/cgQXlK1bryNln8REPmdpzlV4Uhp899ibout:yuhjIKs98t/XSYbCs9j4X0boS

Score

10^/10

blackmoon banker discovery persistence trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3812-135-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon
behavioral1/memory/7372-19826-0x0000000000400000-0x00000000004A5000-memory.dmp	family_blackmoon

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

steamwebhelper.exesteamwebhelper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Executes dropped EXE 14 IoCs

Processes:

SteamSetup.exesteamservice.exesteam.exesteam.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exegldriverquery64.exesteamwebhelper.exegldriverquery.exevulkandriverquery64.exevulkandriverquery.exeloadermain.exe

pid	process
6136	SteamSetup.exe
5336	steamservice.exe
5604	steam.exe
6476	steam.exe
6856	steamwebhelper.exe
6588	steamwebhelper.exe
7616	steamwebhelper.exe
7920	steamwebhelper.exe
6776	gldriverquery64.exe
8196	steamwebhelper.exe
8400	gldriverquery.exe
9004	vulkandriverquery64.exe
8888	vulkandriverquery.exe
7372	loadermain.exe

Loads dropped DLL 48 IoCs

Processes:

SteamSetup.exesteam.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exe

pid	process
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6588	steamwebhelper.exe
6588	steamwebhelper.exe
6588	steamwebhelper.exe
6476	steam.exe
7616	steamwebhelper.exe
7616	steamwebhelper.exe
7616	steamwebhelper.exe
6476	steam.exe
7616	steamwebhelper.exe
7616	steamwebhelper.exe
7616	steamwebhelper.exe
7920	steamwebhelper.exe
7920	steamwebhelper.exe
7920	steamwebhelper.exe
6476	steam.exe
8196	steamwebhelper.exe
8196	steamwebhelper.exe
8196	steamwebhelper.exe
8196	steamwebhelper.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3812-133-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/3812-135-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
C:\Users\Admin\Downloads\loadermain.SMDwywCb.exe.part	upx
behavioral1/memory/7372-19826-0x0000000000400000-0x00000000004A5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SteamSetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run	SteamSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

steam.exe

description	ioc	process
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\layout\library\library_allgames_suggested_row_empty.xml_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\layout\library\library_allgames_suggested_row_storebuttons.xml_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_r1.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_l2_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_xboxone_wasd.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\api\ps4_button_share.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\styles\tenfootcontroller_losshelper.css_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui-public\images\controller\ghost_030_inv_0309.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamui_russian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0313.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\keyboards\layout_dutch_dualtouch.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\image_error.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_button_logo_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_r2_soft_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_details.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\xbox_rt_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0406.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\shared_russian-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_stop_disabled.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui-public\images\vrinstalldialog.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\BlockCommunicationResultDialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_070_setting_0080.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_ltrackpad_swipe_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\SettingsSubOverlay.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\drivers.exe_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_play_down.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\Receipt_Server_Failure.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\GameOverlayRenderer.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_075_utility_040.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_outlined_button_triangle_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_lstick_left_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\en-GB.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\layout\tips\tip_section_container.xml_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_080_input_0135.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_settings.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_r_ring_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_button_logo_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\browser\browser_secure.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\friends\friends_indicator_gameinvite.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\api\pad_l_dpad_e.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_r_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_touchpad_up.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\movies\deck-suspend-animation-from-throbber.webm_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\layout\friends\notification_friendingame.xml_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_060_vehicle_0120.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui-public\images\controller\ghost_070_setting_0303.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_rg_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_lstick_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\api-ms-win-core-interlocked-l1-1-0.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0308.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\libraries\libraries~4611591fd.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\libraries\libraries~d432c02e4.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_rtrackpad_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\api\stick.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\store\bp_mastercard_brazil.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\keyboards\layout_brazilian_dualtouch.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\clientui\index_friends.html_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_color_outlined_button_circle_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\ChooseBetaDialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\layout\overlay\notification_refreshlogin.xml_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\inbox_notification_inactive_disabled.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_r2.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_outlined_button_triangle.svg_	steam.exe

Drops file in Windows directory 1 IoCs

Processes:

loadermain.exe

description ioc process

File created C:\Windows\gzip.dll loadermain.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\gzip.dll	loadermain.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exesteam.exesteamwebhelper.exesteam.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

steamwebhelper.exe

description ioc process

Key created \REGISTRY\USER\ steamwebhelper.exe

description	ioc	process
Key created	\REGISTRY\USER\	steamwebhelper.exe

Modifies registry class 64 IoCs

Processes:

steamservice.exefirefox.exesteamwebhelper.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\	steamwebhelper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\steam	steamservice.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

steam.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\loadermain.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SteamSetup.exesteam.exesteamwebhelper.exe

pid	process
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6136	SteamSetup.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
7920	steamwebhelper.exe
7920	steamwebhelper.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe
6476	steam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

steam.exe

pid process

6476 steam.exe

pid	process
6476	steam.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

loadermain.exefirefox.exeSteamSetup.exesteamservice.exeloadermain.exe

description	pid	process
Token: SeDebugPrivilege	3812	loadermain.exe
Token: SeDebugPrivilege	3812	loadermain.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	6136	SteamSetup.exe
Token: SeDebugPrivilege	6136	SteamSetup.exe
Token: SeDebugPrivilege	6136	SteamSetup.exe
Token: SeDebugPrivilege	6136	SteamSetup.exe
Token: SeDebugPrivilege	6136	SteamSetup.exe
Token: SeSecurityPrivilege	5336	steamservice.exe
Token: SeSecurityPrivilege	5336	steamservice.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	7372	loadermain.exe
Token: SeDebugPrivilege	7372	loadermain.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe
Token: SeDebugPrivilege	3704	firefox.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

firefox.exesteamwebhelper.exeloadermain.exe

pid	process
3704	firefox.exe
3704	firefox.exe
3704	firefox.exe
3704	firefox.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
7372	loadermain.exe
3704	firefox.exe
3704	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

firefox.exesteamwebhelper.exe

pid	process
3704	firefox.exe
3704	firefox.exe
3704	firefox.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
6856	steamwebhelper.exe
3704	firefox.exe
3704	firefox.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

firefox.exeSteamSetup.exesteamservice.exesteam.exe

pid	process
3704	firefox.exe
3704	firefox.exe
3704	firefox.exe
3704	firefox.exe
3704	firefox.exe
3704	firefox.exe
3704	firefox.exe
6136	SteamSetup.exe
5336	steamservice.exe
3704	firefox.exe
3704	firefox.exe
3704	firefox.exe
6476	steam.exe
3704	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2188 wrote to memory of 3704	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 3704	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 3704	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 3704	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 3704	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 3704	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 3704	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 3704	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 3704	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 3704	2188	firefox.exe	firefox.exe
PID 2188 wrote to memory of 3704	2188	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4552	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4552	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 4264	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3280	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3280	3704	firefox.exe	firefox.exe
PID 3704 wrote to memory of 3280	3704	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\loadermain.exe
"C:\Users\Admin\AppData\Local\Temp\loadermain.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.0.1107846088\439538242" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7868e925-86eb-4938-af61-fd884bca2ca2} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 1916 21539a16558 gpu
    3⤵
    PID:4552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.1.868034342\573411782" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74c555a9-caff-4e87-8715-f7cad0cf9cfb} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 2316 2152ba72b58 socket
    3⤵
    PID:4264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.2.521212533\436806985" -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3112 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe2354c2-19bb-44b9-9eb3-ccc69ba7944f} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 2712 2153c707658 tab
    3⤵
    PID:3280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.3.1795962670\1087506334" -childID 2 -isForBrowser -prefsHandle 3076 -prefMapHandle 2772 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11ee1537-f84a-4b77-b91f-2f96a43737f2} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 2344 2152ba68458 tab
    3⤵
    PID:2272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.4.637971282\1660481097" -childID 3 -isForBrowser -prefsHandle 3784 -prefMapHandle 3780 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a64ffb58-8e3e-4f56-9f3e-2917959fe5bd} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 3792 2153d577d58 tab
    3⤵
    PID:4240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.5.268334251\589722643" -childID 4 -isForBrowser -prefsHandle 4748 -prefMapHandle 5036 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbf5cd4b-f987-4305-8fae-0650722a1b13} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 5024 2153efd3a58 tab
    3⤵
    PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.7.619781720\1172935342" -childID 6 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1786a67-985e-4b57-9c58-e104db0fb6a3} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 5408 2153efd4c58 tab
    3⤵
    PID:4964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.6.1992942277\1372816263" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55aabf8e-3d5a-4972-8b3e-3fef11689639} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 4964 2153efd4658 tab
    3⤵
    PID:4772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.8.1065260097\275664798" -childID 7 -isForBrowser -prefsHandle 1608 -prefMapHandle 3200 -prefsLen 26913 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {070eb14f-92fd-4bbe-b6c5-627b82d636e7} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 5572 21538cb2258 tab
    3⤵
    PID:320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.9.1464465024\783380589" -childID 8 -isForBrowser -prefsHandle 6072 -prefMapHandle 5360 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa1e4d6c-fd8f-4ad4-b8f2-5b19523dc0c2} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 5048 2153eb04158 tab
    3⤵
    PID:4920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.10.307826465\656197492" -childID 9 -isForBrowser -prefsHandle 5272 -prefMapHandle 5212 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3095c08-d4f2-4e19-a699-1eccfdabcb55} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 4996 21541d81558 tab
    3⤵
    PID:60
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.11.1613549531\1961037571" -childID 10 -isForBrowser -prefsHandle 8820 -prefMapHandle 10060 -prefsLen 27235 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0445ff2a-56de-42ae-bfd2-553b00e587b8} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 10088 215422fcd58 tab
    3⤵
    PID:5712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.12.746519153\1259127635" -parentBuildID 20221007134813 -prefsHandle 3560 -prefMapHandle 6072 -prefsLen 27235 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8494d19-16cc-4611-b092-58672394522c} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 5344 2153f717b58 rdd
    3⤵
    PID:5864
- - C:\Users\Admin\Downloads\SteamSetup.exe
    "C:\Users\Admin\Downloads\SteamSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6136
  - - C:\Program Files (x86)\Steam\bin\steamservice.exe
      "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.13.123726670\1572627498" -childID 11 -isForBrowser -prefsHandle 7652 -prefMapHandle 9208 -prefsLen 30482 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd4eb574-0f51-4eb9-8b5f-82f45edd70d8} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 10016 2153f0c1458 tab
    3⤵
    PID:5504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.14.952736285\561884805" -childID 12 -isForBrowser -prefsHandle 4040 -prefMapHandle 9460 -prefsLen 30482 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce71ce2b-164d-44f0-9328-4e6201a87bf5} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 9236 21541c05658 tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3704.15.936568994\1802760853" -childID 13 -isForBrowser -prefsHandle 4904 -prefMapHandle 9544 -prefsLen 30482 -prefMapSize 232675 -jsInitHandle 1456 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44d51fa7-931f-4172-9c06-2d620525bd76} 3704 "\\.\pipe\gecko-crash-server-pipe.3704" 9452 21541c06b58 tab
    3⤵
    PID:5912

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
PID:5604
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:6476
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=6476" "-buildid=1686880776" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" --enable-media-stream --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--disable-features=SameSiteByDefaultCookies" "--enable-blink-features=ResizeObserver,Worklet,AudioWorklet" "--disable-blink-features=Badging"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:6856
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1686880776 --initial-client-data=0x364,0x368,0x36c,0x340,0x370,0x7ff8674ef070,0x7ff8674ef080,0x7ff8674ef090
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6588
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1692,9616245806038236617,1668163139495625408,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1686880776 --steamid=0 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1700 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:7616
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1692,9616245806038236617,1668163139495625408,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --lang=en-US --service-sandbox-type=network --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1686880776 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2184 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:7920
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1692,9616245806038236617,1668163139495625408,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1686880776 --steamid=0 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2516 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:8196
- - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
    .\bin\gldriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:6776
- - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
    .\bin\gldriverquery.exe
    3⤵
    - Executes dropped EXE
    PID:8400
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
    .\bin\vulkandriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:9004
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
    .\bin\vulkandriverquery.exe
    3⤵
    - Executes dropped EXE
    PID:8888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x498
1⤵
PID:7872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:8668

C:\Users\Admin\Downloads\loadermain.exe
"C:\Users\Admin\Downloads\loadermain.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:7372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.1MB

MD5
b4411620a3551834e4f699cc5a9b27e6

SHA1
5093960cc86613e310d13770b5adef00fe93f3eb

SHA256
3caf4a246169b2d30c6bf18fa0b7a4a01bbe933cfb781f3da4c6b3cb67b59d04

SHA512
47dde07212c2d5eea548d7794fc6bb9d86ced9a0848aaeab81fa8844fc5cab7eac58e386e96a81c663b914c85c0a7116033e2b2cfd18559d40aa6c83f9a6c024

Download Submit
C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.1MB

MD5
b4411620a3551834e4f699cc5a9b27e6

SHA1
5093960cc86613e310d13770b5adef00fe93f3eb

SHA256
3caf4a246169b2d30c6bf18fa0b7a4a01bbe933cfb781f3da4c6b3cb67b59d04

SHA512
47dde07212c2d5eea548d7794fc6bb9d86ced9a0848aaeab81fa8844fc5cab7eac58e386e96a81c663b914c85c0a7116033e2b2cfd18559d40aa6c83f9a6c024

Download Submit
C:\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.7MB

MD5
2de3f7cf6020b3bb6bc4199459a63016

SHA1
8a30e5e333a353eb069ab961a4c1918fcbb44623

SHA256
f649f4a1d41cd442d5e3f079b1677442a2123eb494bda58ef866870b25915d7e

SHA512
5d1e016c731dd1bfaaf24fde9da4f453f71773a71db956290809eb82064fa0307874cd412be6ad98c4fdbb36e94cd8ae7aa27341aaa1f9f3f9e696afe0cca56e

Download Submit
C:\Program Files (x86)\Steam\bin\audio.dll

Filesize
178KB

MD5
016962e4d00c8b61a59bff3b1741d089

SHA1
7cc61aae2eeeb840e7d031d079528b64c1676062

SHA256
f1522155789762ef175b15d2cd55f3ad2504ad27aa61b647a7a1b3eff0cb3db5

SHA512
2ec5bdeb27098e3bef040811afdc0ea0961fe1fd066aa1afb02ddbca75c1d66cd6464de787510828964dcec626a563b4ad50ffa4cc31d121d9c6f2e00f1d60a3

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
07ebe4d5cef3301ccf07430f4c3e32d8

SHA1
3b878b2b2720915773f16dba6d493dab0680ac5f

SHA256
8f8b79150e850acc92fd6aab614f6e3759bea875134a62087d5dd65581e3001f

SHA512
6c7e4df62ebae9934b698f231cf51f54743cf3303cd758573d00f872b8ecc2af1f556b094503aae91100189c0d0a93eaf1b7cafec677f384a1d7b4fda2eee598

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-console-l1-2-0.dll

Filesize
11KB

MD5
57193bfbccefe3d5df8c1a0d27c4e8d4

SHA1
747f1d3841a9175826439d37e2387a4cf920641c

SHA256
f5025e74de2c1c6ea74e475b57771ac32205e6f1fa6a0390298bbe1f4049ac5d

SHA512
68ad2750e0282fb3ae8d40ac7e22dda43b2073342bb160c20d81d61c69b08a6e766756b432c71cc65e99cdafb70152d53563f0b02708fff84dc3e9f376d51c99

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
557405c47613de66b111d0e2b01f2fdb

SHA1
de116ed5de1ffaa900732709e5e4eef921ead63c

SHA256
913eaaa7997a6aee53574cffb83f9c9c1700b1d8b46744a5e12d76a1e53376fd

SHA512
c2b326f555b2b7acb7849402ac85922880105857c616ef98f7fb4bbbdc2cd7f2af010f4a747875646fcc272ab8aa4ce290b6e09a9896ce1587e638502bd4befb

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
624401f31a706b1ae2245eb19264dc7f

SHA1
8d9def3750c18ddfc044d5568e3406d5d0fb9285

SHA256
58a8d69df60ecbee776cd9a74b2a32b14bf2b0bd92d527ec5f19502a0d3eb8e9

SHA512
3353734b556d6eebc57734827450ce3b34d010e0c033e95a6e60800c0fda79a1958ebf9053f12054026525d95d24eec541633186f00f162475cec19f07a0d817

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
2db5666d3600a4abce86be0099c6b881

SHA1
63d5dda4cec0076884bc678c691bdd2a4fa1d906

SHA256
46079c0a1b660fc187aafd760707f369d0b60d424d878c57685545a3fce95819

SHA512
7c6e1e022db4217a85a4012c8e4daee0a0f987e4fba8a4c952424ef28e250bac38b088c242d72b4641157b7cc882161aefa177765a2e23afcdc627188a084345

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
0f7d418c05128246afa335a1fb400cb9

SHA1
f6313e371ed5a1dffe35815cc5d25981184d0368

SHA256
5c9bc70586ad538b0df1fcf5d6f1f3527450ae16935aa34bd7eb494b4f1b2db9

SHA512
7555d9d3311c8622df6782748c2186a3738c4807fc58df2f75e539729fc4069db23739f391950303f12e0d25df9f065b4c52e13b2ebb6d417ca4c12cfdeca631

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
5a72a803df2b425d5aaff21f0f064011

SHA1
4b31963d981c07a7ab2a0d1a706067c539c55ec5

SHA256
629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086

SHA512
bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
721b60b85094851c06d572f0bd5d88cd

SHA1
4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7

SHA256
dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf

SHA512
430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
d1df480505f2d23c0b5c53df2e0e2a1a

SHA1
207db9568afd273e864b05c87282987e7e81d0ba

SHA256
0b3dfb8554ead94d5da7859a12db353942406f9d1dfe3fac3d48663c233ea99d

SHA512
f14239420f5dd84a15ff5fca2fad81d0aa9280c566fa581122a018e10ebdf308ac0bf1d3fcfc08634c1058c395c767130c5abca55540295c68df24ffd931ca0a

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
73433ebfc9a47ed16ea544ddd308eaf8

SHA1
ac1da1378dd79762c6619c9a63fd1ebe4d360c6f

SHA256
c43075b1d2386a8a262de628c93a65350e52eae82582b27f879708364b978e29

SHA512
1c28cc0d3d02d4c308a86e9d0bc2da88333dfa8c92305ec706f3e389f7bb6d15053040afd1c4f0aa3383f3549495343a537d09fe882db6ed12b7507115e5a263

Download Submit
C:\Program Files (x86)\Steam\bin\steamservice.exe

Filesize
2.7MB

MD5
2de3f7cf6020b3bb6bc4199459a63016

SHA1
8a30e5e333a353eb069ab961a4c1918fcbb44623

SHA256
f649f4a1d41cd442d5e3f079b1677442a2123eb494bda58ef866870b25915d7e

SHA512
5d1e016c731dd1bfaaf24fde9da4f453f71773a71db956290809eb82064fa0307874cd412be6ad98c4fdbb36e94cd8ae7aa27341aaa1f9f3f9e696afe0cca56e

Download Submit
C:\Program Files (x86)\Steam\crashhandler.dll

Filesize
367KB

MD5
e53fe677e423d2634afa2499f9de893d

SHA1
ac3bc67443015cb399653bb9b632bb2153508635

SHA256
5844ff24211b5a19f66eba92a77e031ecb3c6368086c1d7bd7bab7da300291c0

SHA512
fcf79d8da93fb61d0d59b80a3b9a7adf6c3e2763e68de0f1f31fbbf29139d9d6ba358af92472c41a788e5898cb24c6384015362bd3c9f93c5ebf87582285293d

Download Submit
C:\Program Files (x86)\Steam\crashhandler.dll

Filesize
367KB

MD5
e53fe677e423d2634afa2499f9de893d

SHA1
ac3bc67443015cb399653bb9b632bb2153508635

SHA256
5844ff24211b5a19f66eba92a77e031ecb3c6368086c1d7bd7bab7da300291c0

SHA512
fcf79d8da93fb61d0d59b80a3b9a7adf6c3e2763e68de0f1f31fbbf29139d9d6ba358af92472c41a788e5898cb24c6384015362bd3c9f93c5ebf87582285293d

Download Submit
C:\Program Files (x86)\Steam\logs\bootstrap_log.txt

Filesize
16KB

MD5
6d465d59feda14c2abbd8587c133b812

SHA1
441e0840a7903652c31cbe4e208e05097533ce69

SHA256
1cdfc15dc097b0a2424c365b6ebf42e259655af753996f33437aff3d22003f38

SHA512
45494f4f579d366e5f87233904969b75523e0d5aa3bfffd4a156a509879bca54c025c0f6ce8e17227f5f29961d0bff3a198853a444c4c684b6917c8017623c03

Download Submit
C:\Program Files (x86)\Steam\package\steam_client_metrics.bin

Filesize
4KB

MD5
ac7eb782d738c0ceee9b92911edc203a

SHA1
d6657af2429b11951a4bdaac621c6362a49217e4

SHA256
018b60bb591c19c6265d0c753a7364d1a855891d67c8a5168ca7d5c3f9d7ae14

SHA512
65f223fb503faa37402a0c76c6abd1e84eb71ace746eb9608bc05afbfa62a75d0ea27bba452c9f6bf1639165027053147d39e2114ab2489fdcc9698ed90b9733

Download Submit
C:\Program Files (x86)\Steam\package\steam_client_win32.installed

Filesize
664KB

MD5
805feab85c8c6b61c5ac1feb6fc6c7eb

SHA1
e1553ba076ffa82f5edcba3c746f3036d28120be

SHA256
92b2986c4301cdf5d7d1d2833f6cb378dc082d039f6adf1785e99192cd52c953

SHA512
daf62f034a9c846d834c7bac80b515aa6324342acddd303d44c5a4ed76176f0463d983373e0bea630f288066b433e265156ce598949a2f0a5d1f58f37fd6a264

Download Submit
C:\Program Files (x86)\Steam\package\steam_client_win32.manifest

Filesize
12KB

MD5
ffd2c27841ade36cc9a80cb8af493016

SHA1
fc8f8fea2aff1bd9057fd629cac4030306fab186

SHA256
56e5da68f320ae0867283379f62e0c02801fb3ae72e0c10793c27ccc5889fb2b

SHA512
761dd3cdf083c726859c616edfa475729c851413b1b7fcd93a9561019752d11de48497393c01ad6ac02df0a390b8d826e48074d8646e5658f98afcd7b8baebe1

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mouseover.tga_

Filesize
20KB

MD5
a8e17619ccb8d9d7244b1617969ca14e

SHA1
1ad665215a2f900369492fb143140c81d00fd779

SHA256
4c8894e710464deb81ef9a084f1d5d37803c55cae3959addc437516c0fefeef8

SHA512
4d73cecdce46b483d273d99ef43d8683979f518660e74b2977e980270f00757b462cb73850860dcf36e938932ff19600fc15c37b87e25eb6a588ee33472d09aa

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\textinput\drop06.tga_

Filesize
244KB

MD5
c7afc24e396da59a4ef402ddd2ccbceb

SHA1
dafbca40f8420fdf6c426fa6a3f0f6a43fb493d9

SHA256
996cd2d01542cec922c384708dcbfc8aee8773333ebda9a398f0236675f129b1

SHA512
013ff1f14b8c7214c88e42cf5d270324f4bbac6bf6b5eafa7dadf8d658c0eaa97a52f326df62867dab7926e8edbcb5bac89a0e675c57de5558f78b1bce313ef2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
8ebd46495dd3b4ab05431c5c771d5657

SHA1
e426214322a729faddb5bc80053af5750c76683b

SHA256
70c39d5d5b16640165de19cee80da4a391035108cbc5f5009372a86954f0fe92

SHA512
53afd923f583eda4db580935a8cdd62413af8e830c04f2c12d15c55e905c114ec11a5e4483660601504c27e9350e9e47c6432f8f699464e11c5050fe846d7dc4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
239c03a3dc1c27993da724736d086cef

SHA1
ff88246f8ea3502873dcbdc622378f006c58a2e6

SHA256
b387e2fb971297d3438acca130c53dfdd202ae2ca5b52d6503333734cda4fbfc

SHA512
656922e8f2dec46ef36efba5c85088c47b02e89f62b27559611fcbe6ef85c6cd8462a4532e2d2d7f4faa977ab24f0de6f5f72e3075f8889db9e6e60baa162a32

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
6def4d3cf1453d5fb69d22fca29892a4

SHA1
09fe62653e55668de75a9fc5b64949ea81eb4991

SHA256
60c29f3c57c44c58daf69be797bfede31967b1ddfc9bb68cb7ddaa0acda67c8c

SHA512
ee4f3f5dd8a8aadde9cff8f8aca8a45fa419c36fd8a4a7d3af9b71e1f7e5d9e1d01c329c70e6da53238822b536e35224e55004bf2e1af4ec17d5b56ccfc58549

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
2fe6613e267857982d7df4368c9827ec

SHA1
d520c7427b283e3ff167b850ab15352e46d328d3

SHA256
2eba5f3f0b0dbcc2cd69c36c220a2355d1ba3cd67b6e25b5846c80e1604bcac0

SHA512
cf2fc8978adf54dce5700eda7d8beb4917c89bf5458131171eab95463e1b3a3315770f4baae07e498e8e36a8478f09e27054ca2d06b4542c86d8459360572be4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
2fe6613e267857982d7df4368c9827ec

SHA1
d520c7427b283e3ff167b850ab15352e46d328d3

SHA256
2eba5f3f0b0dbcc2cd69c36c220a2355d1ba3cd67b6e25b5846c80e1604bcac0

SHA512
cf2fc8978adf54dce5700eda7d8beb4917c89bf5458131171eab95463e1b3a3315770f4baae07e498e8e36a8478f09e27054ca2d06b4542c86d8459360572be4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
594be5b10d9f551e551cf20eae0e6dfc

SHA1
191c20f5cb0c27ecc5a055fa2379694f5e27a610

SHA256
e350ca62e777da4da6d25885be96d48e7ce3acf021a74f2a4902354a1bf03fbb

SHA512
e27bf6593a177c22e16ddf5a44d82b34b02063645a7fd63943b936028d9c433c89628038768a300c296c2d3bcab2ef6b8532a19f7283952d041865c704f62b0b

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
da69785dfbf494002f108dd73020183d

SHA1
34bb6061cdf120e7dced0402e588c3f712cf2dc0

SHA256
8cce22e7f13486f2bc612dcc8fa31d81038e6084a350fa10299d40c3a7f878c8

SHA512
db773783b63ed1d66a59272e05304c174b69f85d2838ae8049dffed6b6b30c2011fd9042dd652f9a1733a2b6891870b426cf1985d41921e5360c9b1ae1330e20

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
395286db3e67a59868e2662c326c541a

SHA1
716014d76622612a1bde2d4e1744d024f6d0b830

SHA256
02e48ee4e10354a2b2741d2e57ef565404753779f847906b5ae5c98ede06c01b

SHA512
64cdf1e6701ea57474051e338eee74859fc0ff4acd71ee0718a9b8cd698e94a9793c1901b6791fc0fc268c53fbc1e7e2f94ac1024f3f8765bf713954c194b0fe

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
b9e30df8cf272813b121133fcf259752

SHA1
16706f982f16d5feb9c808f94b8cfa50c23f5d80

SHA256
88919d7be26fb3e06401fc0254733d92fd743ecc56da4177b41613e1f094c3e8

SHA512
7beb65c0477b02742741a8ce23557f4f15e8cf1b1ef03a6bbadbf594bdf2cd686d7356d93719111d27b309a10ca75846765a13bb3eb4d0411785dfb13a675fc4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_korean.txt

Filesize
4KB

MD5
d75580775d67a85353189736222a8878

SHA1
ccb2275c8f5d119640064fd533ca15f30d93f331

SHA256
10720923c1048502c5191d6d1d8580e35e707b24d457941dae94a87371af989a

SHA512
757dd94a1e3debb2520855a3d00e44e3a98b5764caf9c16c8d088fc1a1f1024eed742f1051635721f4bf2c00d1dac11fd975c09a7f5df78d1863de88f9bbf9fe

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt

Filesize
4KB

MD5
d75580775d67a85353189736222a8878

SHA1
ccb2275c8f5d119640064fd533ca15f30d93f331

SHA256
10720923c1048502c5191d6d1d8580e35e707b24d457941dae94a87371af989a

SHA512
757dd94a1e3debb2520855a3d00e44e3a98b5764caf9c16c8d088fc1a1f1024eed742f1051635721f4bf2c00d1dac11fd975c09a7f5df78d1863de88f9bbf9fe

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt

Filesize
4KB

MD5
7913f3f33839e3af9e10455df69866c2

SHA1
15fa957d0a6a2717027f5b35f4dbe5e0ab8ece25

SHA256
05bc1f4973c6d36002ac1b37ce46b1f941fcb4338282e0ec1ec83fb558d1a88c

SHA512
534e541757d19ee157a268bf7ea358b48015f400542fcfa49cdb547cd652926160f015fe2cf026d9c4996e56ab90ca3899dfd457997d915bf6bc9d7bb00ba804

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt

Filesize
4KB

MD5
5462f47e56b978659ef56f196db013f4

SHA1
4749824d4e909369f59217d4980963ff17353f3f

SHA256
cbfbe91d4a4661df814ea447c03f4ca872ef3e27073a1eb746faccbfe75afc8a

SHA512
5a437968fc06619cf553ced32dba9c7c948f4364f02c8017986e9a4f09e9832b849c7e0567485ca1beba34a258d29b2612ea3ed6045c81777e9a5201139f81a3

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt

Filesize
4KB

MD5
9b0b0e82f753cc115d87c7199885ad1b

SHA1
5743a4ab58684c1f154f84895d87f000b4e98021

SHA256
0bdeee9fa28d54d384e06ea646fbcfe3f06698a31dfdc1a50703ffe83ad78d32

SHA512
b7780b82fbe705bc8e5a527c011eb685c99ef0b2eb810617b9f82b891341af95ef1c2f46dce9e458c0c4dcc3e7a0d21db6c77f03419cd1c4b521a9b72f9017df

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt

Filesize
4KB

MD5
eb8926608c5933f05a3f0090e551b15d

SHA1
a1012904d440c0e74dad336eac8793ac110f78f8

SHA256
2ed2b0d654d60e0a82b0968a91d568b775144e9d92f2b077b6da75f85ad12d04

SHA512
9113c42c38836f71ff0cc7019aff8c873845f47fbf1ab97e981cb038f4d8495b6df784402b1ee9666e8e567ae866b0284c81e6a16efb47131d5ef88569c4843a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt

Filesize
4KB

MD5
31bd3d4d8de5af4642b21d586d5ee54d

SHA1
552bebb93c71cd8acd72558db1810530909fb276

SHA256
52f256ded29ce22945b5bc0ef7a227189dfa91da69265ec13283a7067c239071

SHA512
cea49fc70b18a1294ec7e564ff7f4d1ff7efeb0db1cf1b088da6adcecc282569380f225e9a150d1666c5c1977ba4de0a5d9d667c72cfb8569a50546b978e9132

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt

Filesize
6KB

MD5
e04ad6c236b6c61fc53e2cb57ced87e8

SHA1
e9d4846b7e6cc755ee14a5d3fa45ee7d3bf425a4

SHA256
08c775efa77c2a92d369f794882e467b6e2526e61bc7aa7724f48e174524502e

SHA512
0dfb7e6d811d649103499018f3d115c542fcaba420ceb69124a4d837fe162ce514e7be2040860c5ef5f9c01c961fa6eea8730606b73ec107d87597989b6fd331

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt

Filesize
4KB

MD5
56dcf7b68f70826262a6ffaffe6b1c49

SHA1
12e4272ba0e4eabc610670cdc6941f942da1eb6a

SHA256
948cad1bb27109e008f2457248880c759d3fa98b92c5b4033b94f455cb8ac43f

SHA512
c3fd9caf0bd4c303a7cc300faada9cfe6dd752e82d67625b31f4c0c2c091596508bb477fe19f758fdf79b25b8ac3f5320a8785d2b6705b9bcc28a054a59454e2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt

Filesize
4KB

MD5
e9b8fccdb78bf9d275b79c75b2ff3e7b

SHA1
4b549411ed4db0f0a3699e76531353c226b06a76

SHA256
41ecfe0ffd6043a66a41bf9ea032712f2d1bbc19b434c6c666a107ee379f21e4

SHA512
4ce905a31f3a410712722271abd7e0a9a6c43646b61a321912b4a8e8f6fab68ab69add1d701c501bb069b8ecb65ecaf3bfa9be983933d0234a8c81c24bc6601f

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt

Filesize
4KB

MD5
b2248784049e1af0c690be2af13a4ef3

SHA1
aec7461fa46b7f6d00ff308aa9d19c39b934c595

SHA256
4bf6b25bf5b18e13b04db6ed2e5ed635eb844fc52baa892f530194d9471f5690

SHA512
f5cee6bba20a4d05473971f7f87a36990e88a44b2855c7655b77f48f223219978d91bcd02d320c7e6c2ec368234e1d0201be85b5626ef4909e047e416e1a066c

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt

Filesize
4KB

MD5
5c7bc92e0d948e3bba3f26f64a22fe7e

SHA1
bd259397a312bee9b8262058c30e0e354eeea93a

SHA256
5e6b0978fe8e2d14905f46e089b06681d6dfe76dd0c1551c168171ac4de75969

SHA512
8a6e18ce3d38a9658172b1871255a9941c572114137e468f130956c73ff13f282a46074a1dda6404dbdbf317ecdaadf01324194b8f8c081f862037784f4946ba

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt

Filesize
7KB

MD5
1a537a1d30fba1d3db449a9207b63835

SHA1
ab6903b4c8d6bd3571960b1218714b8d76b1880d

SHA256
49b6b664d50a1ae0c732bcfbbdd1db1812ddccf00bcf5f40200f0e7cff5542ee

SHA512
1215b0d017a6e3ea207edafe8edd500a91a7a971b2f989d8006fa65e475ae32ec00df3e8ec06b4077f64f5b789c536bfb9d8b9945ca0e0731d68e48876bd8459

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt

Filesize
4KB

MD5
29f9a5ab4adfae371bf980b82de2cb57

SHA1
6f7ef52a09b99868dd7230f513630ffe473eddf8

SHA256
711675edb20b3cb70acf6cf75f2eea8e0d87c8ace3e11c8df362b4517427a34f

SHA512
543fe63f791250e05e8fda24fd2ceadebb4c8925e8927de49ae490895c87eed3e61a9ad50237532649f99fe3165836261de215ee3f66ffbfc6d677ddeea7732a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt

Filesize
6KB

MD5
cadd7a2f359b22580bdd6281ea23744d

SHA1
e82e790a7561d0908aee8e3b1af97823e147f88b

SHA256
3dd0edfbe68236e668fb308f92fe7c6493dbb05bfca85a48de93588f479ccc99

SHA512
53672dd13e6ccbe96f6d4a61297c595b6d6cba8de92caa51ccf8ab1d8a82eea5a425eab348f295b9ec27de0026ef849d9230f751a46e040be8863923f91b8519

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt

Filesize
4KB

MD5
f8a86b74ce3b446e3111d1480b5feaf7

SHA1
af21c55fd6ac99e65db55af9b8f4ffe790c4382c

SHA256
8a049b6126e904dcb9ba5d8af21cc0ab25ca55221cf2cd48eea45504fe23083b

SHA512
70f8009f5940b10b77a6c152c8c73f3dd425fb9ac917014504e8116ef00032888de686271e0262cbe7a55c6e605e837dcfbeb54ece71e49646b1030195fa0845

Download Submit
C:\Program Files (x86)\Steam\steam.exe

Filesize
4.2MB

MD5
5ec88800b1671d61c30e8601a4ba553e

SHA1
6dadc0bf8ac0c54e848cc0d21ec8d98db6e0e7ba

SHA256
87d0cd59c8e17b9cece911e09e494cefc5d02959d510af08a9e3233ac2f2d58a

SHA512
ddd92481f1d4dfa59a8e829a1df8b220f79b1e6cfacccdadc9227b856855025defdde6a18ea2b79be20aa295b738eb2e4e8237a5ed30f7f016987390b6c8ea79

Download Submit
C:\Program Files (x86)\Steam\steam.exe

Filesize
4.1MB

MD5
b4411620a3551834e4f699cc5a9b27e6

SHA1
5093960cc86613e310d13770b5adef00fe93f3eb

SHA256
3caf4a246169b2d30c6bf18fa0b7a4a01bbe933cfb781f3da4c6b3cb67b59d04

SHA512
47dde07212c2d5eea548d7794fc6bb9d86ced9a0848aaeab81fa8844fc5cab7eac58e386e96a81c663b914c85c0a7116033e2b2cfd18559d40aa6c83f9a6c024

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
129KB

MD5
e98bdf78a2950c3923f97a6f34433ca3

SHA1
33d403aac2aec44adf47e5826f587d105ff1df7d

SHA256
3e0c5f7c0283ef9bc6c12eef157fc989e0f1e135e9db31157f93ac57215c7a16

SHA512
0d8b0c5080dc5e8219dd74a388fa3d60c7ffd63a80380a9ac38167a0dadc3db7aeb63ab6fd35d594a4909ff0b7ca0aa7c04acced9bd080f4eb15db57ad84502c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\doomed\21634

Filesize
14KB

MD5
25b11847942cc2faa7dc3a34abbefade

SHA1
c19e0deb7666fdd9ea6d707be57a32ef84b10973

SHA256
c14d319552d93615de4fd09bf3d193802949562ac797235eab740a6087b3e07c

SHA512
adac4fae8c36b465c1dafcc7b6d88e1a29e8011249380a83f6e4e7d5fe445cdfc9da78413796da652e065e5ad753eb417d8eebdee1ce966a394dd1f6531142ad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\doomed\6845

Filesize
12KB

MD5
8530bb839a578bef412a092437ab0e5d

SHA1
55854e1e3e15b678ef80b758c9de683d0f542c66

SHA256
8cb067d6d80e2463d583348b5bb9ebe96673389e2b2f4b9a60923d4863a16b9e

SHA512
923cc03de8187fc9c1cecffdf609270b75730065a0ebb0d2de0e477b76d107417358d7a08af6535558be3f2c61d4fbc0a815d70d18254500b5abab1e3c836e7a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\entries\58D46C4012E4AD3623A4EA72BB3C1CDD25B3FF87

Filesize
14KB

MD5
20cd56544f786fba25c6e72dd703dc75

SHA1
0e86b85515c86629403bcfcf526ccd0c2d31febb

SHA256
e988a38d593869b6a4eb21073d04a8cd3c006585b4a34f0f972eb942f3968ceb

SHA512
d42f38cf9e6f939a211044c36b133c3fd52c87c508eb740dc1e2732a768540de0d70ed933216b55c74de0ffa72da6c9b227dbdf4da1ed4b977ec0f3d8610f0f4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\entries\6941258286052D72A570B760C526E8649BCAC5E7

Filesize
175KB

MD5
bb5d9c92621a8b075694bf285350c49e

SHA1
58f0e7179ae993ea86de1742709109a2ea8dfc19

SHA256
1861fb9de5868b52b597ca4e6dfe684df3de1b7b6452939fb23f6aae5b780f95

SHA512
f39b15a2390052a78935aa268c3e50c106c8fb8efa56cfaf6aad5010a6cff0d3196c30d09ef756981f79b6c7541d112e3eca6ca585b40deb929ee9c5c54d6aa3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\jumpListCache\ufEyFCmiIQsquOLIfnxWUA==.ico

Filesize
3KB

MD5
3fef9833539ecf7625989a1192319b16

SHA1
98a69e5e74479847a673c688e44a44a16ae87f12

SHA256
4428522c40ebb41bee7c71186c4cbed9c4ef97a435d795ce074895ae055267a2

SHA512
1d2a7d78a7af9a46f01f22315e374f6366ddfee46f26ebb15bb22198559b64a9024174f14d2630d150f802ced1e7bfbf3057fa06e6bf575e281bea903a99071a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\safebrowsing-updating\ads-track-digest256-1.vlpset

Filesize
54KB

MD5
4f9ef3d3a71d4cb49e623e3f4b7b1162

SHA1
c2d65973b44b051d043475e9387fa7100514acbd

SHA256
48ae004f3c542ac764dd5a1e894918ec4b250b5c1f7209256c191cae13106b1f

SHA512
f7017204ad37ceedbff4e8b58ab4edac75748d2f36693e59ea9d9157f637d29b53c6405d994ac9fc62712f2574013e95c4817ff49229c78dcc23cac805b13ed7

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
bd3497a2f8f3fdb67a195cd42d341113

SHA1
86b51bd6ea87ed59958516931b47d03e758cf71e

SHA256
2bc86ec82ea9f71c50f96761d1561ba04ae174fbfe34402d3f5593066882e66a

SHA512
4fb275a3b0b9d97321ad8394b3608dac8693c1a81c3a9e465530a257af659d4d45a3c76ccb484627aae1acc7854b2c0286173c73ac967e50b73e507b68014971

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
5ad4eea87ec044bf0140f521df05dbbc

SHA1
a076aeab48768c1549dd66e5159f31110142fc81

SHA256
591df71c89eb262375aea493ed73004189c353ad56bd1e982a2c4242ae27d525

SHA512
94d306b7da4a048261edc557d5b38f66c5f5e37ac32e30d537cccf37de979a634183ed25804f4d5e81ae7fbf178401712643b83b9fe64913b738416bfaf9ec9c

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network Persistent State~RFe595e43.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\StdUtils.dll

Filesize
99KB

MD5
98a4efba4e4b566dc3d93d2d9bfcab58

SHA1
8c54ae9fcec30b2beea8b6af4ead0a76d634a536

SHA256
e2ad7736209d62909a356248fce8e554093339b18ef3e6a989a3c278f177ad48

SHA512
2dbc9a71e666ebf782607d3ca108fd47aa6bce1d0ac2a19183cc5187dd342307b64cb88906369784518922a54ac20f408d5a58f77c0ed410e2ccf98e4e9e39a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\StdUtils.dll

Filesize
99KB

MD5
98a4efba4e4b566dc3d93d2d9bfcab58

SHA1
8c54ae9fcec30b2beea8b6af4ead0a76d634a536

SHA256
e2ad7736209d62909a356248fce8e554093339b18ef3e6a989a3c278f177ad48

SHA512
2dbc9a71e666ebf782607d3ca108fd47aa6bce1d0ac2a19183cc5187dd342307b64cb88906369784518922a54ac20f408d5a58f77c0ed410e2ccf98e4e9e39a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA0E5.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
35b46c6abfd9607dda34703ca8bafffd

SHA1
bc9542401dc63ef32b0061bb306fb1ad42984c6e

SHA256
102c2a702e8589ba6fa8f00a909e115054e222d69828f809ab5054569f890ecb

SHA512
a832a67de8774d371cb7a7ab2165dd0bfd3223ced8d3c715cfaba6d0b9fd8fad4f198d6e0c05a9b81d0c69e335db0c8c6a41c58781b8e58b99e4b6461ef0753d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
4b98e46e378f2b79d2164c95cea7b731

SHA1
8db0de0500233350ebc0dd706302b69e3f24c30d

SHA256
efac4f4fe5d270a358c3051d30536c60f1ab3364a17eee44c078cce5b573c7be

SHA512
d3b82eb5dc5e0f0535b8746f42e74fd64ac36adbf590b4b927cb2eac1de0d35143d72e05e30900444cb12030da4e83d59818b983043c92aef8bba39f7a3b9517

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
10986a0ac19630fb1075806956c2fa7a

SHA1
690b2d1706cd21f1d3f4ba58a4ca4696c810a981

SHA256
c76eb8491c76b52f087e650bb865f437cca596dce25a7e64fb36a2592dbde618

SHA512
246f212e132e732c5f25f57825eabd5ce47714cd2516eafb94406f38f49a39ae86c9557d8c4d1be95be0e07fe5a2779e118170bcb03e8ecf9f8dc016d968028f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
efed4567165511b2f59a2da84fe34a6c

SHA1
527a8a0a10f70eb9ef9fb8b03c8c57f15568b8a2

SHA256
8f97b53a031308fa298a6e644d5e5affc4272cf42357fa8a44f7db8a8ffcc8ad

SHA512
c517cc336f2200b0ce96e5fb4eb4318c25a92e96cca8c524ef4e32949ab1dfdca632feca8a874757a57ae372d793286e8ba6e5c29224518db12d1a5ab1c8ac4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
10KB

MD5
82c94f9818160649afd0fd44c2d0b7ee

SHA1
7c7f10019c15d8e0b3a629d42c2f643487f5eaba

SHA256
2c6bf6acb735d0c33ee182d92676fd64aa9088528ed0965a9959baa834c61e53

SHA512
8d644e8278d8e41345311b659768f83f7da8905247e923d51a8599aa4d9d4f09c52adfc9882250bb9da2ded5ab2f2bba0e1799324339aa3c153e63cc87015403

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
b8c5248592c0563943c7fc0a4afb760a

SHA1
6e22182dc766ebb0f5e1b552cbac060bd30af451

SHA256
b69dee93be8d41d82cc682019b64fc8296e17276428849cd2da36a255085e648

SHA512
c14acc8dd8afd6c2ae5d9faa1f7c3348fa89b362669f3f9658b70136c8d4d249410ca8f8b006b408d8331406edf4685d90b93bf10907cd99533aff88e3394a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
292bb21e8276f59dff3095b47f4ab6f7

SHA1
59ef9789fbd54086ecbf6af31cbcab0ec8664aba

SHA256
c463606da7f0b0dfd7e03d0733ae1c220b082f370feb21a62728319a85a0de48

SHA512
eee8394254ed7f52e68e24731c14f396d50aa28b711d7f1e15a35b80b91d02b6366031d1c30b2471684fe99b10d814b8b3c9e1f76dd3c1d5e338630450c25164

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
42KB

MD5
263b76c577b052eb64b65db349805b76

SHA1
fe6e55c8c86052cf5b883863f45238af94c92a51

SHA256
f09255499993500cd2c1555f4125b4796747d67727faa54efe76d55ef606f132

SHA512
3301f861a18a876949a5f58dd1f8865ead40ae8d397f3864c3a93e8b2601123be90409aa365ba7df677922324592486ac2b3c7f84b90d24cd2f8dee54b990e7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
7dffc51b919d55a296250e0acbc2451e

SHA1
0a5846e0a38d23b6ac09e57d3c65624fa341116c

SHA256
d4178ac48df10567194aa7d1de965531856c40be5988346489cc1b32012bc8b7

SHA512
66614758493dfbe99edab6f42c836ca8e39abbc0310fabfc2f4f22ddba64fcdce45da17bc349aa3c0ebd2008f82e3171a6891ea55f67ad5dd12a99400a9cb4df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
2a027776bad2d01c9114bd7c9bd593e1

SHA1
7cd6ecb78b1a2f52325e7ca90fd09f082c68f573

SHA256
e1dba5c53883f859a161aecfaa5b247d273af8b9a546152c31f551f9fddf4cec

SHA512
cf2a9c3d6c1cfb75c3d17ad4c6d9c74dd7b6a72150d152986aa640f72d19545fef69a29517dfe8472b49838db15d5135e3cf887fee843a299e653d123ad3dff3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
ffdf5f46bb50389716b88982158f46c9

SHA1
83ab1b70fa62b576dc6f696f86009951516c0868

SHA256
4f94ade582bd1711ce7ce8daa21a04305e27000d0c2690b2dc4afd12e567dc07

SHA512
84be4f4b5f46b770f53ff374a80cf7109980fa715b44e15ea6f0e2faa9b0e45b4d32ef966c8662c29928f22b17975a0841b39facf6a71f39572cf6756ec2ca78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c6e0d161ef92ea13897f7a269591b8fb

SHA1
3a75538e9a0aafb9bfe648ba1bcf8427e50b6014

SHA256
5b40d73e727cb72acfb460a7d63555f57c84a173a301df96183db6c7fd474f8f

SHA512
1dadf97ec0577cfee33a6e1b1a2e91f8671a05baf590491106c03c7f0473a07a30f916fb8575a0e288a692421dac9f4660a6fe59424b141252548cd92d1a5068

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
44KB

MD5
891ab623b529aba8ef64470386f81d37

SHA1
aae18451fa5fa09e10c9cc9d74e8d1b58b1688da

SHA256
5ec56fbdbfa3fad23d4c7e8aa9bcdfe2d5ffe66876b315e94c8c48fba5013bc3

SHA512
e7db792f06c869b5f8ac96b15ebe91f497f0132133588255c60a88f1ad011515ae7448e5a85b00d6bc03b3483b1bfcacf13c64a8bee5b57789bce912df5e3203

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
6e544ffa7133334d270342606f159a4d

SHA1
7a140385217845987c3af5262db0338e8095449b

SHA256
987ee4b6ba65c445e1d07727d3b89df518fe2030e053cbc7b0adedf9517e47fe

SHA512
3b7baed78d6dcfc37232fb42f1eda43a51448dc24362d6189237abc1febe23744067492336c80065035b69e05467ab4a80d0fb36298b2b714d2723d440d39ad4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
339257168caed77b4026c6d89f95ac3a

SHA1
9ec2cd936c17f6513a38c0199733ef9cfb10edb4

SHA256
e26bcbe06d2c09eaa0b37ce07a61ba0c94c4dc50263ff2b6ad71b0a69789ade2

SHA512
a7ce53ec0735121835ea15107675daf2b2252c0c435faf3a78864075c5c4e89ecfcfe7dc07235880f38340fc0979143c5086eb38dc1b8439563a4c692861f40c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
b3d3e02c94fb6a245f58d01c2371bb68

SHA1
961a62dfafe6a9cf860c5fdad6da15f22c543dfa

SHA256
0edfeb27b00795970495ce9127dc5f10ec00e9a171a377cb6d5ec7aea8bac34e

SHA512
b39d8b7d2141f8a75bbf3107d0cf08ed7630d67d92e5578a44d7f5c432631a5b6214826764b2d633609ad677f477fb161a4c3053bec7c9d8996e02854289ea96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
b565492540f51c510e519f0f81272174

SHA1
23a8472927c36c437cec3d1ed890bfb886befa53

SHA256
a32bfac05e2f4626fbe6738ca5c966834f8ebf73fa0f451835c711f40b2105a8

SHA512
a872d22c1cdc922f0f5594d7a8138f4dea42abdf85918cb36094e598cb99152b35ab09e5454c2d2cead9adb7bb5dcbb152beb71a237824afc78efe026302f3bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
ac0417800a4a7b2741c16c6d89fd4bf9

SHA1
edfa710a9bd8f355c972667e051aa8f64467e531

SHA256
560e0d23609369f0cf82f1df24dd23742dcd91d27a1295197401cc9a209b0fa2

SHA512
5c207e395db96d6cf4bafda9133b05afbd23dc4a5d7522cb012738a4ff7a3af265685a53255b66869f95daa298b83e40de2279f5ce279acdeac87c96b8e72037

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\storage\default\https+++www.virustotal.com\cache\morgue\110\{ad06a5fd-dcaa-47ab-9354-d268f78eae6e}.final

Filesize
43KB

MD5
bdadac8be9bf8531a3ee492b9357b8e8

SHA1
5d9544c4e794731d6d7fa385ff49ca413fb0f2c9

SHA256
4a58199069de901969f79bb251ddfc5036d0c78d4ce45339b54b6011d9edd658

SHA512
2279dd027bd6e1fc0fc3906cde47cc3b145e208f57373ad2f1619beca21ca8c0e9ab4eec69b075f28162ef2048d6291664f6329809682c76fc0d3b2c26002cba

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe

Filesize
2.2MB

MD5
70f3bc193dfa56b78f3e6e4f800f701f

SHA1
1e5598f2de49fed2e81f3dd8630c7346a2b89487

SHA256
3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

SHA512
3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe

Filesize
2.2MB

MD5
70f3bc193dfa56b78f3e6e4f800f701f

SHA1
1e5598f2de49fed2e81f3dd8630c7346a2b89487

SHA256
3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

SHA512
3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe

Filesize
2.2MB

MD5
70f3bc193dfa56b78f3e6e4f800f701f

SHA1
1e5598f2de49fed2e81f3dd8630c7346a2b89487

SHA256
3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

SHA512
3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

Download Submit
C:\Users\Admin\Downloads\loadermain.SMDwywCb.exe.part

Filesize
146KB

MD5
b10b7412521eef4e650b401be020d6ae

SHA1
b933efe72da53ae34623dfc4c8402f355ebdf97c

SHA256
7aa23742e590f27e0d74aec95b8f3535f96e2ff11dcc4688b0115811376aa786

SHA512
abf50bafe9c012441c7a87ee1ed9557cd5575c6a5afe98593099ee046b36af696eb0435b590f182d21128030ce7e3eb9a645d01ea670ffc7785949d529b96d58

Download Submit
memory/3812-135-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/3812-133-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/5604-19628-0x0000000000600000-0x0000000000A76000-memory.dmp

Filesize
4.5MB

Download
memory/5604-19635-0x0000000000600000-0x0000000000A76000-memory.dmp

Filesize
4.5MB

Download
memory/6476-19752-0x000000006FA90000-0x0000000070D2E000-memory.dmp

Filesize
18.6MB

Download
memory/7372-19826-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/7616-19659-0x00007FF884190000-0x00007FF884191000-memory.dmp

Filesize
4KB

Download
memory/8196-19675-0x00007FF8849B0000-0x00007FF8849B1000-memory.dmp

Filesize
4KB

Download
memory/8196-19676-0x00007FF882DF0000-0x00007FF882DF1000-memory.dmp

Filesize
4KB

Download