3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

Analysis

max time kernel
930s
max time network
931s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
12-02-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamSetup.exe
Size

2.2MB
MD5

70f3bc193dfa56b78f3e6e4f800f701f
SHA1

1e5598f2de49fed2e81f3dd8630c7346a2b89487
SHA256

3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1
SHA512

3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1
SSDEEP

49152:2DcHcEngZtNm1LQRHH4PTwZX6kg9hsf4lcszpyu7d/TC:rngZtNm1G4Pw6dJzZNTC

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SteamSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

steam.exesteam.exe

description	ioc	process
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_r3_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\1227450_header.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0210.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_touchpad_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_l2.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0347.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_090_media_0040.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\flag_inactive_bottom.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_060_vehicle_0080.png_	steam.exe
File opened for modification	C:\Program Files (x86)\Steam\userdata\1128306032\7\remotecache.vdf	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\1142500_library_600x900.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_color_button_triangle.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_rstick_up.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\steamxboxutil.exe_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_ltrackpad_down_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_dpad_up_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\chrome_200_percent.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\250900_logo.png	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_030_inv_0110.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_100_target_0090.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\chord_apple.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_buttons_w_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0308.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_r_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_color_outlined_button_circle_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\1657180_library_600x900.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_r_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_r2_soft.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_greek.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_060_vehicle_0120.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_color_button_b_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\1618540_library_600x900.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_110_social_0120.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_110_social_0301.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_dpad_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_lt_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_r_right_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_android_gamepad_joystick.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\388090_header.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_click_for_details.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_color_outlined_button_a_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_touch_doubletap.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\win32_win_close_hover.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\ThirdPartyLegalNotices.doc_	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\httpcache\b8\b81462b02d92f348a388708bf156c8015d49c55e_da39a3ee5e6b4b0d3255bfef95601890afd80709	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\1182370_library_hero.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\781480_library_600x900.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\747660_library_hero.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0130.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0506.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\regionrestrictiondialog.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_mouse_scroll_up_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\styles\steam.styles_	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\2381620_library_hero_blur.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamui_japanese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_r2_soft_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_left_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\1419370_library_600x900.jpg	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\1077430_logo.png	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_button_mute.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_profanity_latam.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7\api-ms-win-core-localization-l1-2-0.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_dpad_down_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\appcache\librarycache\239820_logo.png	steam.exe

Drops file in Windows directory 4 IoCs

Processes:

UserOOBEBroker.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Executes dropped EXE 50 IoCs

Processes:

steamservice.exesteam.exesteam.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exegldriverquery64.exegldriverquery.exesteamwebhelper.exevulkandriverquery64.exevulkandriverquery.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exe

pid	process
3424	steamservice.exe
2736	steam.exe
8128	steam.exe
8184	steamwebhelper.exe
8228	steamwebhelper.exe
8368	steamwebhelper.exe
8576	steamwebhelper.exe
8776	gldriverquery64.exe
8844	gldriverquery.exe
8892	steamwebhelper.exe
9036	vulkandriverquery64.exe
9180	vulkandriverquery.exe
21672	steamwebhelper.exe
20624	steamwebhelper.exe
19436	steamwebhelper.exe
19424	steamwebhelper.exe
18640	steamwebhelper.exe
18144	steamwebhelper.exe
17996	steamwebhelper.exe
16908	steamwebhelper.exe
16888	steamwebhelper.exe
16764	steamwebhelper.exe
16604	steamwebhelper.exe
16496	steamwebhelper.exe
16472	steamwebhelper.exe
16456	steamwebhelper.exe
16428	steamwebhelper.exe
16252	steamwebhelper.exe
16188	steamwebhelper.exe
16084	steamwebhelper.exe
16036	steamwebhelper.exe
15912	steamwebhelper.exe
15644	steamwebhelper.exe
15448	steamwebhelper.exe
15252	steamwebhelper.exe
15148	steamwebhelper.exe
15036	steamwebhelper.exe
14888	steamwebhelper.exe
14784	steamwebhelper.exe
12972	steamwebhelper.exe
12932	steamwebhelper.exe
12532	steamwebhelper.exe
12152	steamwebhelper.exe
11852	steamwebhelper.exe
11812	steamwebhelper.exe
10700	steamwebhelper.exe
10452	steamwebhelper.exe
21912	steamwebhelper.exe
21028	steamwebhelper.exe
18352	steamwebhelper.exe

Loads dropped DLL 64 IoCs

Processes:

SteamSetup.exesteam.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exe

pid	process
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8228	steamwebhelper.exe
8228	steamwebhelper.exe
8228	steamwebhelper.exe
8128	steam.exe
8128	steam.exe
8368	steamwebhelper.exe
8368	steamwebhelper.exe
8368	steamwebhelper.exe
8368	steamwebhelper.exe
8368	steamwebhelper.exe
8368	steamwebhelper.exe
8576	steamwebhelper.exe
8576	steamwebhelper.exe
8576	steamwebhelper.exe
8128	steam.exe
8892	steamwebhelper.exe
8892	steamwebhelper.exe
8892	steamwebhelper.exe
8892	steamwebhelper.exe
21672	steamwebhelper.exe
21672	steamwebhelper.exe
21672	steamwebhelper.exe
8128	steam.exe
20624	steamwebhelper.exe
20624	steamwebhelper.exe
20624	steamwebhelper.exe
20624	steamwebhelper.exe
19436	steamwebhelper.exe
19436	steamwebhelper.exe
19436	steamwebhelper.exe
19436	steamwebhelper.exe
19436	steamwebhelper.exe
19436	steamwebhelper.exe
19424	steamwebhelper.exe
19424	steamwebhelper.exe
19424	steamwebhelper.exe
19424	steamwebhelper.exe
18640	steamwebhelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

steam.exesteamwebhelper.exesteam.exesteamwebhelper.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

steamwebhelper.exesteamwebhelper.exe

description ioc process

Key created \REGISTRY\USER\ steamwebhelper.exe
Key created \REGISTRY\USER\ steamwebhelper.exe

description	ioc	process
Key created	\REGISTRY\USER\	steamwebhelper.exe
Key created	\REGISTRY\USER\	steamwebhelper.exe

Modifies registry class 64 IoCs

Processes:

steamservice.exesteam.exesteamwebhelper.exesteamwebhelper.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink\DefaultIcon	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\	steamwebhelper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\ = "URL:steam protocol"	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink\ = "URL:steamlink protocol"	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steam.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\	steamwebhelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\DefaultIcon	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\URL Protocol	steam.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink	steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steamlink\URL Protocol	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steam.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3632047111-1948211978-3010235048-1000_Classes\steam\Shell\Open\Command	steam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steam.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

steam.exesteamwebhelper.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	steamwebhelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c00000001000000040000000008000019000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	steamwebhelper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	steamwebhelper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SteamSetup.exesteam.exesteamwebhelper.exe

pid	process
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
1876	SteamSetup.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8576	steamwebhelper.exe
8576	steamwebhelper.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe
8128	steam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

steam.exe

pid process

8128 steam.exe

pid	process
8128	steam.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

steamservice.exesteam.exe

description	pid	process
Token: SeSecurityPrivilege	3424	steamservice.exe
Token: SeSecurityPrivilege	3424	steamservice.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe
Token: SeDebugPrivilege	8128	steam.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

steamwebhelper.exesteam.exe

pid	process
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8128	steam.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8128	steam.exe
8128	steam.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

steamwebhelper.exesteam.exe

pid	process
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8128	steam.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8128	steam.exe
8128	steam.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8128	steam.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8128	steam.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe
8184	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

steam.exe

pid process

8128 steam.exe

pid	process
8128	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SteamSetup.exesteam.exesteam.exesteamwebhelper.exe

description	pid	process	target process
PID 1876 wrote to memory of 3424	1876	SteamSetup.exe	steamservice.exe
PID 1876 wrote to memory of 3424	1876	SteamSetup.exe	steamservice.exe
PID 1876 wrote to memory of 3424	1876	SteamSetup.exe	steamservice.exe
PID 2736 wrote to memory of 8128	2736	steam.exe	steam.exe
PID 2736 wrote to memory of 8128	2736	steam.exe	steam.exe
PID 2736 wrote to memory of 8128	2736	steam.exe	steam.exe
PID 8128 wrote to memory of 8184	8128	steam.exe	steamwebhelper.exe
PID 8128 wrote to memory of 8184	8128	steam.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8228	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8228	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8368	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8576	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8576	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8128 wrote to memory of 8776	8128	steam.exe	gldriverquery64.exe
PID 8128 wrote to memory of 8776	8128	steam.exe	gldriverquery64.exe
PID 8128 wrote to memory of 8844	8128	steam.exe	gldriverquery.exe
PID 8128 wrote to memory of 8844	8128	steam.exe	gldriverquery.exe
PID 8128 wrote to memory of 8844	8128	steam.exe	gldriverquery.exe
PID 8184 wrote to memory of 8892	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8892	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8892	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8892	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8892	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8892	8184	steamwebhelper.exe	steamwebhelper.exe
PID 8184 wrote to memory of 8892	8184	steamwebhelper.exe	steamwebhelper.exe

C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe"
1⤵
- Adds Run key to start application
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876

C:\Program Files (x86)\Steam\bin\steamservice.exe
"C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2736

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8128

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=8128" "-buildid=1705108172" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --enable-media-stream --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--disable-features=SameSiteByDefaultCookies" "--enable-blink-features=ResizeObserver,Worklet,AudioWorklet" "--disable-blink-features=Badging"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:8184

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1705108172 --initial-client-data=0x35c,0x360,0x364,0x338,0x368,0x7ffd606bf070,0x7ffd606bf080,0x7ffd606bf090
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8228

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1552,5375535581753606902,748377325284212606,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=0 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1652 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8368

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,5375535581753606902,748377325284212606,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --lang=en-US --service-sandbox-type=network --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2144 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:8576

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1552,5375535581753606902,748377325284212606,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=0 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2372 /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8892

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1552,5375535581753606902,748377325284212606,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2860 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:21672

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1552,5375535581753606902,748377325284212606,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=0 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2228 /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:20624

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1552,5375535581753606902,748377325284212606,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=0 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1740 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:19436

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1552,5375535581753606902,748377325284212606,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=0 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2460 /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:19424

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1552,5375535581753606902,748377325284212606,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=0 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1740 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:18640

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1552,5375535581753606902,748377325284212606,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=0 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3336 /prefetch:1
4⤵
- Executes dropped EXE
PID:18144

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1552,5375535581753606902,748377325284212606,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=0 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1740 /prefetch:2
4⤵
- Executes dropped EXE
PID:17996

C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
.\bin\gldriverquery64.exe
3⤵
- Executes dropped EXE
PID:8776

C:\Program Files (x86)\Steam\bin\gldriverquery.exe
.\bin\gldriverquery.exe
3⤵
- Executes dropped EXE
PID:8844

C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
.\bin\vulkandriverquery64.exe
3⤵
- Executes dropped EXE
PID:9036

C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
.\bin\vulkandriverquery.exe
3⤵
- Executes dropped EXE
PID:9180

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=8128" "-buildid=1705108172" "-steamid=76561199088571760" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=1" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --enable-media-stream --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--disable-features=SameSiteByDefaultCookies" "--enable-blink-features=ResizeObserver,Worklet,AudioWorklet" "--disable-blink-features=Badging"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:16908

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1705108172 --initial-client-data=0x35c,0x360,0x364,0x32c,0x368,0x7ffd606bf070,0x7ffd606bf080,0x7ffd606bf090
4⤵
- Executes dropped EXE
PID:16888

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=76561199088571760 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1676 /prefetch:2
4⤵
- Executes dropped EXE
PID:16764

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --lang=en-US --service-sandbox-type=network --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=76561199088571760 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2168 /prefetch:8
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:16604

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2484 /prefetch:1
4⤵
- Executes dropped EXE
PID:16496

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2492 /prefetch:1
4⤵
- Executes dropped EXE
PID:16472

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2500 /prefetch:1
4⤵
- Executes dropped EXE
PID:16456

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2508 /prefetch:1
4⤵
- Executes dropped EXE
PID:16428

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2532 /prefetch:1
4⤵
- Executes dropped EXE
PID:16252

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2540 /prefetch:1
4⤵
- Executes dropped EXE
PID:16188

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2512 /prefetch:1
4⤵
- Executes dropped EXE
PID:16084

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2640 /prefetch:1
4⤵
- Executes dropped EXE
PID:16036

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3092 /prefetch:1
4⤵
- Executes dropped EXE
PID:15912

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3080 /prefetch:1
4⤵
- Executes dropped EXE
PID:15644

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3108 /prefetch:1
4⤵
- Executes dropped EXE
PID:15448

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3112 /prefetch:1
4⤵
- Executes dropped EXE
PID:15252

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3120 /prefetch:1
4⤵
- Executes dropped EXE
PID:15148

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3272 /prefetch:1
4⤵
- Executes dropped EXE
PID:14888

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3388 /prefetch:1
4⤵
- Executes dropped EXE
PID:14784

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3128 /prefetch:1
4⤵
- Executes dropped EXE
PID:15036

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=76561199088571760 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1832 /prefetch:2
4⤵
- Executes dropped EXE
PID:12972

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5892 /prefetch:1
4⤵
- Executes dropped EXE
PID:12932

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=76561199088571760 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1832 /prefetch:2
4⤵
- Executes dropped EXE
PID:12532

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2620 /prefetch:1
4⤵
- Executes dropped EXE
PID:12152

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=76561199088571760 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1832 /prefetch:2
4⤵
- Executes dropped EXE
PID:11852

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --disable-gpu-compositing --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=1796 /prefetch:1
4⤵
- Executes dropped EXE
PID:11812

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --disable-gpu-compositing --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5568 /prefetch:1
4⤵
- Executes dropped EXE
PID:10700

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --disable-gpu-compositing --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6316 /prefetch:1
4⤵
- Executes dropped EXE
PID:10452

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --disable-gpu-compositing --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=76561199088571760 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6204 /prefetch:1
4⤵
- Executes dropped EXE
PID:21912

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=76561199088571760 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=5388 /prefetch:2
4⤵
- Executes dropped EXE
PID:21028

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1636,13514140651505268948,11873266147654173402,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --lang=en-US --service-sandbox-type=audio --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=76561199088571760 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=5772 /prefetch:8
4⤵
- Executes dropped EXE
PID:18352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8460

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004E0
1⤵
PID:8672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:19300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:18484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:17900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:16700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:12856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:12432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:11700

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004E0
1⤵
PID:18180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:10068

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:20636

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.0MB

MD5
7dbb8bdc50dac946ee42ce8f4453fa5d

SHA1
e248169cc6b4669418642c34aa1ee1a09813c473

SHA256
ac8cf328dc6ae94412ea3dbf3b87b69b7065ae20b82ec11d1b5acb6cae4dd70c

SHA512
a2016ebe3c37f980e674f51d0d602197ae152a2f8a8084365a3975b4f01696633c5da9f9a38a2af07e9899571e40a9878f3acc7282b05c5f8ac51e4d88654126

Download Submit
C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.1MB

MD5
b4411620a3551834e4f699cc5a9b27e6

SHA1
5093960cc86613e310d13770b5adef00fe93f3eb

SHA256
3caf4a246169b2d30c6bf18fa0b7a4a01bbe933cfb781f3da4c6b3cb67b59d04

SHA512
47dde07212c2d5eea548d7794fc6bb9d86ced9a0848aaeab81fa8844fc5cab7eac58e386e96a81c663b914c85c0a7116033e2b2cfd18559d40aa6c83f9a6c024

Download Submit
C:\Program Files (x86)\Steam\appcache\localization.vdf

Filesize
7KB

MD5
39b43e708bca0548e4cbcfd007a83470

SHA1
1aa023453502508465be46a854173451138539fc

SHA256
c533640c1cf1fea1c0d611f42caa5594d3079004ff7c93e588013ae88521f877

SHA512
99f9993850b774abd86383e37a71a3a42ec7fe15545a1dcd60257b8fcb7b5e6071e8c7a7d70eb1fa83dffaedbb1ec259b556ecb298a3486966e029ef03dd1f4d

Download Submit
C:\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.7MB

MD5
2de3f7cf6020b3bb6bc4199459a63016

SHA1
8a30e5e333a353eb069ab961a4c1918fcbb44623

SHA256
f649f4a1d41cd442d5e3f079b1677442a2123eb494bda58ef866870b25915d7e

SHA512
5d1e016c731dd1bfaaf24fde9da4f453f71773a71db956290809eb82064fa0307874cd412be6ad98c4fdbb36e94cd8ae7aa27341aaa1f9f3f9e696afe0cca56e

Download Submit
C:\Program Files (x86)\Steam\config\config.vdf

Filesize
10KB

MD5
ecc03724e933f7aa3eb5e1bf108080d8

SHA1
0fbb2a09ee53eaea02a4da575b9da6f9d94355d2

SHA256
482921c83e48e5f89324603be08c829d31bd2a1c5af2ae81fed74a5fc4bc08f2

SHA512
746aaa15a5e4603c42896513d083c9decbc2655ef165243792daee3d97a39c137ed2d74ee908df3a90717380495bb4f8d32a88df3dac9f06ec83fec52d6b850a

Download Submit
C:\Program Files (x86)\Steam\dumps\metadata

Filesize
236B

MD5
0c2d7f7bfca106c8f005c06b8c6daeca

SHA1
1024b22a04184163894d1731c5aace7b6c32ba01

SHA256
fde3ab878eca33fa3714907824cfa40887a5843250115bec081cb90aaa21fbd0

SHA512
ed26cf55f5a2bf5d22b73f1ebf72ec8abd79d43d4a667cd57c2dbd1b3d40409ee118e31bcf47eb8b9ca4526f2e2d097bd79f2c1caeb903c55bc3ab79fa207812

Download Submit
C:\Program Files (x86)\Steam\dumps\metadata

Filesize
664B

MD5
e371176512254a0a66822c243f0b9c55

SHA1
9dd9fb8525f57472ff104ce8b56af88a731f91eb

SHA256
96c2c7febd6615551be13df48e64d49e4c0c8a360d3ec5b57c773e0d2956e058

SHA512
d5b58a05860f2a8b3fb0c4c4a744f51192afe6a53d052f3a4b4bee38e2e39635d0216688828afa04930d13aea54bf2cc352b5b0ccc1a717345805ba431d4474a

Download Submit
C:\Program Files (x86)\Steam\dumps\reports\0a8bc400-8877-4c16-a346-a50d0d4aca18.dmp

Filesize
371KB

MD5
7a6f9f09d615a0cf474a9e3130004842

SHA1
72250ab3844cd2e034c01595b354cf4c7fceff05

SHA256
21c5c90de312b5d0a3ef1a68223933ca8680778c6ae97d67667a9ff0b4e2742d

SHA512
962cfb728de52ae05f26992e19c4e7bac11ecaa003c3ff3e33ce6085022844630b88f1caaa2b0bde24e551bf84cfc04795fb3f6704093913d45a65e4484a4200

Download Submit
C:\Program Files (x86)\Steam\dumps\reports\3928340a-9032-4d52-a9d7-cd8bdc52779e.dmp

Filesize
505KB

MD5
bad3208572f8e0aa22e03c433db5b2a2

SHA1
40f3aa2483a953cfd0dc811dd8323f71ebf786ff

SHA256
cb69dfd36ee4db884314f2710142393ae3048c5c54e97dd63778c6615a1a961c

SHA512
51948f37b3a08faea10ab941238cfc791741552dfd3ef619bb539d5c5f3f8fe68f192cb69c7678459c138536b6eb5496cdf1db3b632e5aa5e68c9ffa59779efd

Download Submit
C:\Program Files (x86)\Steam\dumps\reports\4c23bbcf-463e-412b-b294-f62f284c652d.dmp

Filesize
364KB

MD5
3a8ce407a9580d52043ea1b49fe36cbc

SHA1
ab001943f1ab27cee8291bf7b5363a13ddd49a85

SHA256
14e26df43d9bc47831c64a41d3914ecb3b0eef38d804ee4bb30f6b9c4603180d

SHA512
f253aa870341ad8d07968b37838caf4f5db5e5c00029c21a356bc37130908fc0b3754118faf35eb84bec92451e7bc9ec5d0ebc9f41a64d40d103bcd36248bf10

Download Submit
C:\Program Files (x86)\Steam\dumps\reports\5736fc9f-2a52-4ce2-8933-385286bc755b.dmp

Filesize
377KB

MD5
cea6791d89d77c9abb04abfb517da94d

SHA1
fdcf565e060bafe2e54f6dd15e63afcaefb6dd4d

SHA256
ed228860090672f80a3fe8ad2f748f73f1d24b0d87396ed70ceede5c5377ec1a

SHA512
aca19a701f9764522e3674d5f05c4139aa0e255c8ca94188b4354062c399d82d8f73abc2baa8c3bd8fa1c161dd48464332e50cc65b6a3a91dbbb068bb8e6ca09

Download Submit
C:\Program Files (x86)\Steam\dumps\reports\ad8933a0-1a9f-4db7-b2e8-f7f22b574ddb.dmp

Filesize
383KB

MD5
97520d01cdfe2742a9abd3ab300242ad

SHA1
bbce0c89b1f8aeda975cd3d0c33c2d47a64c7f98

SHA256
99288be658bb82a5fbb14fba4a2b5b0e4d71c3d575a86fe4ea7f533f5014263d

SHA512
0bfd49acdd436cfd6b098e798407cc83ada42a72d5bf31df2a7f5bbe6aa38e102a13011de816984949f9327d84c6340de9c4e6b38257da4b829251fe799bf6bc

Download Submit
C:\Program Files (x86)\Steam\dumps\reports\d09dd324-edf3-4eda-a4df-c1fe6f096e19.dmp

Filesize
472KB

MD5
b5c5fc76044599552bb4135e84fdcdd9

SHA1
a7e9db191bdaea297dbbf1c41e11cbbe5cafadee

SHA256
51ded2dc4b0bddc7128810ea16dc1e9f39afa8a56d1c3d872684d39e2a361f1e

SHA512
7a0ae8e8b72319e9f11624ab3e0cad6dc14705613633d1623ff231c5d897189e205c5c6a9645bb49ff85938e01fddb7d1bcda88e3a08aa43485928deec3960c2

Download Submit
C:\Program Files (x86)\Steam\dumps\settings.dat

Filesize
56B

MD5
57d9cbe7bc837797505bb2b6a05a4f37

SHA1
59d27da9a18e8caf0d983f6e132b1ffceecf5358

SHA256
30e5850203fbb506ba37b92fc30f7368dddf0855b8022423de440715f27f588a

SHA512
f2a4db24a6d72a320616b764f6cec0acae1dc63df3268adeaa5c95f3ed8a4a6aada23bcd2a90cb37d9bf4451cccc24f17e053711ac95eb0e6e8838e02bbdce28

Download Submit
C:\Program Files (x86)\Steam\dumps\settings.dat

Filesize
56B

MD5
84d4fa77c7722771d7b86b893fb0240b

SHA1
0a4ade6beab94f116304d8a1e11021b83fb18e88

SHA256
cf504982e836d17823bdec4971d9ca6b07caa563689b85b8eafd5783ea6218bd

SHA512
67c0443e46d3154fcb31aa6a52ff6139fb9790ae123a76dc2dd46e4847c1cf782ceb477d7aa45048c4fa0337c3dcf56e11f9e0f8107c0901f5d8490c7f554aaa

Download Submit
C:\Program Files (x86)\Steam\dumps\settings.dat

Filesize
56B

MD5
c3451e0a5155185717f431cd46cffff2

SHA1
082dd2caa963b90864090ce982a787fc8d515467

SHA256
7d5844a96aaf5ee40e134ebaf4548b0cd93ccd86a63e30f57211f5229bdb1128

SHA512
09d1873179a0cfef46fa84722322872184a769e35515c757707b8ef39740a1078d915f1b0acc9894922b02b601d630fe81b3228e030458b0eb1fd1a7191d61bc

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
8ebd46495dd3b4ab05431c5c771d5657

SHA1
e426214322a729faddb5bc80053af5750c76683b

SHA256
70c39d5d5b16640165de19cee80da4a391035108cbc5f5009372a86954f0fe92

SHA512
53afd923f583eda4db580935a8cdd62413af8e830c04f2c12d15c55e905c114ec11a5e4483660601504c27e9350e9e47c6432f8f699464e11c5050fe846d7dc4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
239c03a3dc1c27993da724736d086cef

SHA1
ff88246f8ea3502873dcbdc622378f006c58a2e6

SHA256
b387e2fb971297d3438acca130c53dfdd202ae2ca5b52d6503333734cda4fbfc

SHA512
656922e8f2dec46ef36efba5c85088c47b02e89f62b27559611fcbe6ef85c6cd8462a4532e2d2d7f4faa977ab24f0de6f5f72e3075f8889db9e6e60baa162a32

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
6def4d3cf1453d5fb69d22fca29892a4

SHA1
09fe62653e55668de75a9fc5b64949ea81eb4991

SHA256
60c29f3c57c44c58daf69be797bfede31967b1ddfc9bb68cb7ddaa0acda67c8c

SHA512
ee4f3f5dd8a8aadde9cff8f8aca8a45fa419c36fd8a4a7d3af9b71e1f7e5d9e1d01c329c70e6da53238822b536e35224e55004bf2e1af4ec17d5b56ccfc58549

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
2fe6613e267857982d7df4368c9827ec

SHA1
d520c7427b283e3ff167b850ab15352e46d328d3

SHA256
2eba5f3f0b0dbcc2cd69c36c220a2355d1ba3cd67b6e25b5846c80e1604bcac0

SHA512
cf2fc8978adf54dce5700eda7d8beb4917c89bf5458131171eab95463e1b3a3315770f4baae07e498e8e36a8478f09e27054ca2d06b4542c86d8459360572be4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
594be5b10d9f551e551cf20eae0e6dfc

SHA1
191c20f5cb0c27ecc5a055fa2379694f5e27a610

SHA256
e350ca62e777da4da6d25885be96d48e7ce3acf021a74f2a4902354a1bf03fbb

SHA512
e27bf6593a177c22e16ddf5a44d82b34b02063645a7fd63943b936028d9c433c89628038768a300c296c2d3bcab2ef6b8532a19f7283952d041865c704f62b0b

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
da69785dfbf494002f108dd73020183d

SHA1
34bb6061cdf120e7dced0402e588c3f712cf2dc0

SHA256
8cce22e7f13486f2bc612dcc8fa31d81038e6084a350fa10299d40c3a7f878c8

SHA512
db773783b63ed1d66a59272e05304c174b69f85d2838ae8049dffed6b6b30c2011fd9042dd652f9a1733a2b6891870b426cf1985d41921e5360c9b1ae1330e20

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
395286db3e67a59868e2662c326c541a

SHA1
716014d76622612a1bde2d4e1744d024f6d0b830

SHA256
02e48ee4e10354a2b2741d2e57ef565404753779f847906b5ae5c98ede06c01b

SHA512
64cdf1e6701ea57474051e338eee74859fc0ff4acd71ee0718a9b8cd698e94a9793c1901b6791fc0fc268c53fbc1e7e2f94ac1024f3f8765bf713954c194b0fe

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
b9e30df8cf272813b121133fcf259752

SHA1
16706f982f16d5feb9c808f94b8cfa50c23f5d80

SHA256
88919d7be26fb3e06401fc0254733d92fd743ecc56da4177b41613e1f094c3e8

SHA512
7beb65c0477b02742741a8ce23557f4f15e8cf1b1ef03a6bbadbf594bdf2cd686d7356d93719111d27b309a10ca75846765a13bb3eb4d0411785dfb13a675fc4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt

Filesize
4KB

MD5
d75580775d67a85353189736222a8878

SHA1
ccb2275c8f5d119640064fd533ca15f30d93f331

SHA256
10720923c1048502c5191d6d1d8580e35e707b24d457941dae94a87371af989a

SHA512
757dd94a1e3debb2520855a3d00e44e3a98b5764caf9c16c8d088fc1a1f1024eed742f1051635721f4bf2c00d1dac11fd975c09a7f5df78d1863de88f9bbf9fe

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt

Filesize
4KB

MD5
7913f3f33839e3af9e10455df69866c2

SHA1
15fa957d0a6a2717027f5b35f4dbe5e0ab8ece25

SHA256
05bc1f4973c6d36002ac1b37ce46b1f941fcb4338282e0ec1ec83fb558d1a88c

SHA512
534e541757d19ee157a268bf7ea358b48015f400542fcfa49cdb547cd652926160f015fe2cf026d9c4996e56ab90ca3899dfd457997d915bf6bc9d7bb00ba804

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt

Filesize
4KB

MD5
5462f47e56b978659ef56f196db013f4

SHA1
4749824d4e909369f59217d4980963ff17353f3f

SHA256
cbfbe91d4a4661df814ea447c03f4ca872ef3e27073a1eb746faccbfe75afc8a

SHA512
5a437968fc06619cf553ced32dba9c7c948f4364f02c8017986e9a4f09e9832b849c7e0567485ca1beba34a258d29b2612ea3ed6045c81777e9a5201139f81a3

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt

Filesize
4KB

MD5
9b0b0e82f753cc115d87c7199885ad1b

SHA1
5743a4ab58684c1f154f84895d87f000b4e98021

SHA256
0bdeee9fa28d54d384e06ea646fbcfe3f06698a31dfdc1a50703ffe83ad78d32

SHA512
b7780b82fbe705bc8e5a527c011eb685c99ef0b2eb810617b9f82b891341af95ef1c2f46dce9e458c0c4dcc3e7a0d21db6c77f03419cd1c4b521a9b72f9017df

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt

Filesize
4KB

MD5
eb8926608c5933f05a3f0090e551b15d

SHA1
a1012904d440c0e74dad336eac8793ac110f78f8

SHA256
2ed2b0d654d60e0a82b0968a91d568b775144e9d92f2b077b6da75f85ad12d04

SHA512
9113c42c38836f71ff0cc7019aff8c873845f47fbf1ab97e981cb038f4d8495b6df784402b1ee9666e8e567ae866b0284c81e6a16efb47131d5ef88569c4843a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt

Filesize
4KB

MD5
31bd3d4d8de5af4642b21d586d5ee54d

SHA1
552bebb93c71cd8acd72558db1810530909fb276

SHA256
52f256ded29ce22945b5bc0ef7a227189dfa91da69265ec13283a7067c239071

SHA512
cea49fc70b18a1294ec7e564ff7f4d1ff7efeb0db1cf1b088da6adcecc282569380f225e9a150d1666c5c1977ba4de0a5d9d667c72cfb8569a50546b978e9132

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt

Filesize
6KB

MD5
e04ad6c236b6c61fc53e2cb57ced87e8

SHA1
e9d4846b7e6cc755ee14a5d3fa45ee7d3bf425a4

SHA256
08c775efa77c2a92d369f794882e467b6e2526e61bc7aa7724f48e174524502e

SHA512
0dfb7e6d811d649103499018f3d115c542fcaba420ceb69124a4d837fe162ce514e7be2040860c5ef5f9c01c961fa6eea8730606b73ec107d87597989b6fd331

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt

Filesize
4KB

MD5
56dcf7b68f70826262a6ffaffe6b1c49

SHA1
12e4272ba0e4eabc610670cdc6941f942da1eb6a

SHA256
948cad1bb27109e008f2457248880c759d3fa98b92c5b4033b94f455cb8ac43f

SHA512
c3fd9caf0bd4c303a7cc300faada9cfe6dd752e82d67625b31f4c0c2c091596508bb477fe19f758fdf79b25b8ac3f5320a8785d2b6705b9bcc28a054a59454e2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt

Filesize
4KB

MD5
e9b8fccdb78bf9d275b79c75b2ff3e7b

SHA1
4b549411ed4db0f0a3699e76531353c226b06a76

SHA256
41ecfe0ffd6043a66a41bf9ea032712f2d1bbc19b434c6c666a107ee379f21e4

SHA512
4ce905a31f3a410712722271abd7e0a9a6c43646b61a321912b4a8e8f6fab68ab69add1d701c501bb069b8ecb65ecaf3bfa9be983933d0234a8c81c24bc6601f

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt

Filesize
4KB

MD5
b2248784049e1af0c690be2af13a4ef3

SHA1
aec7461fa46b7f6d00ff308aa9d19c39b934c595

SHA256
4bf6b25bf5b18e13b04db6ed2e5ed635eb844fc52baa892f530194d9471f5690

SHA512
f5cee6bba20a4d05473971f7f87a36990e88a44b2855c7655b77f48f223219978d91bcd02d320c7e6c2ec368234e1d0201be85b5626ef4909e047e416e1a066c

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt

Filesize
4KB

MD5
5c7bc92e0d948e3bba3f26f64a22fe7e

SHA1
bd259397a312bee9b8262058c30e0e354eeea93a

SHA256
5e6b0978fe8e2d14905f46e089b06681d6dfe76dd0c1551c168171ac4de75969

SHA512
8a6e18ce3d38a9658172b1871255a9941c572114137e468f130956c73ff13f282a46074a1dda6404dbdbf317ecdaadf01324194b8f8c081f862037784f4946ba

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt

Filesize
7KB

MD5
1a537a1d30fba1d3db449a9207b63835

SHA1
ab6903b4c8d6bd3571960b1218714b8d76b1880d

SHA256
49b6b664d50a1ae0c732bcfbbdd1db1812ddccf00bcf5f40200f0e7cff5542ee

SHA512
1215b0d017a6e3ea207edafe8edd500a91a7a971b2f989d8006fa65e475ae32ec00df3e8ec06b4077f64f5b789c536bfb9d8b9945ca0e0731d68e48876bd8459

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt

Filesize
4KB

MD5
29f9a5ab4adfae371bf980b82de2cb57

SHA1
6f7ef52a09b99868dd7230f513630ffe473eddf8

SHA256
711675edb20b3cb70acf6cf75f2eea8e0d87c8ace3e11c8df362b4517427a34f

SHA512
543fe63f791250e05e8fda24fd2ceadebb4c8925e8927de49ae490895c87eed3e61a9ad50237532649f99fe3165836261de215ee3f66ffbfc6d677ddeea7732a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt

Filesize
6KB

MD5
cadd7a2f359b22580bdd6281ea23744d

SHA1
e82e790a7561d0908aee8e3b1af97823e147f88b

SHA256
3dd0edfbe68236e668fb308f92fe7c6493dbb05bfca85a48de93588f479ccc99

SHA512
53672dd13e6ccbe96f6d4a61297c595b6d6cba8de92caa51ccf8ab1d8a82eea5a425eab348f295b9ec27de0026ef849d9230f751a46e040be8863923f91b8519

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt

Filesize
4KB

MD5
f8a86b74ce3b446e3111d1480b5feaf7

SHA1
af21c55fd6ac99e65db55af9b8f4ffe790c4382c

SHA256
8a049b6126e904dcb9ba5d8af21cc0ab25ca55221cf2cd48eea45504fe23083b

SHA512
70f8009f5940b10b77a6c152c8c73f3dd425fb9ac917014504e8116ef00032888de686271e0262cbe7a55c6e605e837dcfbeb54ece71e49646b1030195fa0845

Download Submit
C:\Program Files (x86)\Steam\resource\filter_banned_english_cached.txt

Filesize
1KB

MD5
2ab877286ba3ea65e11960beca3238cf

SHA1
7d23d001976f2df5cc5fe738b8bc4c08753b3fdb

SHA256
666e4a7caeabbeab0279b3fc0c4177a844784ac45cebdef946544bebaafab908

SHA512
e443a27548ca5c04135feb31c2ece9b27d8dc09e2659dcc57d26599d332b30e7c6e5d11268a614611ee230faf3bb3303d99c4afadc904bd9e972613c56f13cdf

Download Submit
C:\Program Files (x86)\Steam\resource\filter_banned_english_cached_timestamp.txt

Filesize
29B

MD5
d4844cc074a91d6cc599ee2142f37004

SHA1
f51560f479d903cb68da7368293146c14fdd6afe

SHA256
8d5341570c83f7b639b960a927404cf679f0cc51cab486e74812919568a86d00

SHA512
74de26e71bf0b9e15d35fff4f52f1361ea2b492ce8a6144f567986abfb8534f332d90945d0aa1d4de4cf70343fcd2f08f184f4a48b37f80670fc84eea24b640f

Download Submit
C:\Program Files (x86)\Steam\resource\filter_profanity_english_cached.txt

Filesize
2KB

MD5
61d18907a85f6f263431e335d6ef5504

SHA1
24b135bf8a2e8fed724e0738f823051f87769f54

SHA256
a99f8dae7d1acac74fb32d07cfe0915f38f5bb3bae8b6d8161c3a515c6484070

SHA512
76e327b6cc6e70a8bc3b95e9bfb649eac89616592a8e9f473b574a0584853769f2ad99595de5e9fa85a324d03a5c0f00450a32efc84c5eca0fddff1f079b5ef2

Download Submit
C:\Program Files (x86)\Steam\resource\filter_profanity_english_cached_timestamp.txt

Filesize
29B

MD5
89a8a2de41a799b67f36537b19d31657

SHA1
b219cb9460f686240723a07013c58ebd9d5f734c

SHA256
40e7dce76c19927704f026d07329203827ce1d542f4ce8b3f7894e200fdafc42

SHA512
c5ddf7d26929118fc665650ce4eb7cd97b32b8fef68ffba81d33345d62017b879c4ce4148fee15172d4ea47d11ea31ea499872b9517f69c88f4402cdf49d6285

Download Submit
C:\Program Files (x86)\Steam\userdata\1128306032\config\localconfig.vdf.async8128.tmp

Filesize
24KB

MD5
9a3949714151bdbfa67c6ad66521013e

SHA1
f08c30df801dbf3213dbf04188eb68202f6f7072

SHA256
5279dc7416ca66fe1dcb7bea64e143da9e70b029fe07eca93d8dc303f9bcf090

SHA512
d6b0c877bf4e4a0d85c9578427abbed27b4a075f0ae3af04929ea2c161df90a111e7cabe44bc3bd6877690e0dd7c84e0de780544375f725a8add08547c74811d

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\6ce6a6b1-19a6-4278-9d75-ce6f0e3d73cf.tmp

Filesize
1KB

MD5
23127c54abc4a1ad17557a38fc9e28ea

SHA1
aa46c749295dd1129ed361a556b495bdf24b91d3

SHA256
034b170fee109425a26ab245a7cf41b53b1af1c684e87f4e9f054b9a849f0160

SHA512
c811a0b66a1f03481f3f366750588a0e73cf9847f0c4fe614003138667fb79256bbc414634f8776f9d1104a7b5f534ca5ddf3d716d9ed498bd62e3b48f6c77dc

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\f_000020

Filesize
57KB

MD5
72fd44b21fc7250d5b05de04b7c78e93

SHA1
1fe693c772e9ab7416a867c88264460b9f536458

SHA256
f65f855c48da52dc0cc6c514b178f522ce6afb28720dece889d3ed103509e40b

SHA512
c206ca5e94c8d33c0b829868d73b244fd3bb4f4dfb05d70170301098b47522346f03813342b01d0714d1d0a4b694429e1771d3eef370f850d7e0b4bc8f5e5dc9

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\f_000026

Filesize
30KB

MD5
9a8a24184d5c09f8a9863e615f1792bc

SHA1
ff42fb33482f0765ac2055828a8f7a7b0e978dd9

SHA256
5f7bdb87482b35d0e89a1372d1aa4d0c1c7ef52ad5960dcdd111fd294d9151d3

SHA512
ab72cbc328c32272424edd3f95a9452d97f217f4a3def36ea4a5fde4a1b90bff0b7000b72305d02238aadea01c5d32dd820f383a5d91c3604a2a0f6718f3d5a6

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\f_0000d7

Filesize
54KB

MD5
d53a259390ee57f678fa5f333a822c65

SHA1
9b296ce5e501c1f37437d5337ce76a09344f5326

SHA256
8c083e63fc67fe905dfe5ad8840b877d10c6241a66fba49474246a815f550764

SHA512
1722b0fb08cf550cb5ab233c932fcf718d6d3156f2c5990794962aa78d66b5393319028ad53dae4e8139df649d002942182ec77abf6cfdc4d356fbb002410265

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\temp-index

Filesize
552B

MD5
22c872a70e41e4d7742707008f9473fe

SHA1
34aff49303b6269f0defd28ca2e201937fb04948

SHA256
42ad8741833dd3c703d04deb645cc6cc0b477fbc61c419f9a83b7138dd0974a2

SHA512
6d3aacb34b1e6869a2a38205de6417d16b307be9c1fe58c24d7dadb03b734ed2106b71e7c5bde42b3b4c519175379b73afcbc59d159340eb59e6c2ddbf96af01

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
2d72131ab11167a26c89fcbb66809f2d

SHA1
1d57146b7343cb9973e507dd44c29a0a66dd9854

SHA256
c36f6189f6d66433e0c33c8516b2ae94f8630c846a038c22338f68ae1fb76ee9

SHA512
add505ea0a1337c14eaae762688942e3309119d2457261453cde723f36867d3bfa194a07d8f42649d4460941c016b54a33967a935a8bfbae98e4abb5d3a98e87

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cd955ff55081a141cdc320bbca9dc920

SHA1
c5d279a293d60b64675bef6bdccdf5edbcb1ef96

SHA256
227d81981b2aa0f3f838105340a1b945cc6160881c335c2892913353c1f038de

SHA512
f838ea2bc594d3c85af79cfd2b0f5ed78abce1820c01fa45040bfdb447b40acf48ba0068897b86d3c5942b038efd6fd77dcd155872f34316b93199ffa6bc7c96

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
29e7f487ebc22057f9e2a71dedd4ae08

SHA1
ad6b25ed0ed55474a3c12b236c34e69868213efd

SHA256
70c629cc9e3599840865fa0ed6e846ae20378a14602ce0528398f0d459e59e02

SHA512
159dfdac9d067b8355f1be35bd642d1466ddef242de032023558641c613856303681aa5aafd41eb7cbd4244de93611a4b017178154abcc8c0ec1dd7b4d49bbfb

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index~RFe5b6d3d.TMP

Filesize
48B

MD5
8280b57bef77ccd9ce76e454dcc6a0a8

SHA1
77d2009b05fb49272bbda15e3084e65bef7b606f

SHA256
e9e8a8e93a43dc89ccb517fa7fe0d5f11c79b0896927ca0927a02d797203111b

SHA512
52b61c090e07ed15ac1c647e76ee81ca7024a6ec7723c62fafc358bb8ff17bd0e4f652c5e34c1fb1445fa411e137587aa882ac79b3a8bee1bab830bd81143f09

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_1

Filesize
264KB

MD5
fbf12a7d96c1a521a78b2393f175ee31

SHA1
2003ee0d7c02d12d0494d24e7929543125fdef8a

SHA256
83d329b45e774ea3d63500a1d7a506aff0f8475914c0a07acd6dbc57e2befe8c

SHA512
8f0c8da137f81715615a5f6b3b5dc14b711435b4bc8667448605ccee862716398dd16e2088c163e578cea8e3c1592c79b9312c123c1c76f483f9db53e1110e89

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network Persistent State

Filesize
359B

MD5
4958ea486d67c2b799f431aaf4a908d2

SHA1
cebd10227b469093c5ddc42519c2ef95757d1b50

SHA256
568602641057f0c6692451251651c49602cff22782bb583abd62e13d6e611dc5

SHA512
bffc722ea545a2b68c24cdd03444b9ad5e399887aae7966e1dfb54a6c7f11dd7b17f8d8452768d39f14b7293e60a7ea7bed862e47808fd40cb535951f531501e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network Persistent State

Filesize
524B

MD5
7e0f1ff3cc1227148db20dc953b1c101

SHA1
a674b305a6d4e34c06f9b34e41107984b67a0e2b

SHA256
a88d4b20499b8e70e7a64734985e670f9fa8d228ab2dccb978b81fc8c6d3deb1

SHA512
e3d69d7755d32de82ba0fe35cd9bf6535ceeea64ff614fd982e7373b4e1c9e6b6854bc196e303e77848dc53689105037ae1e34e052b50850e6f157c3f4102598

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network Persistent State

Filesize
281B

MD5
4f4fbfb7737e87cfbb80a987874860ff

SHA1
977da277e10611e94392aeb4d5efeeb991dba2ba

SHA256
920ca649d86c9cac8adfc9ce3da56344d15f6a1e2e7fa2b7e49824ebdc7a691c

SHA512
60a9c87360a8d1b256eb342a95e73bde00ffd268fd89b85d37807df8604391a0fcae1511b47d4a7fade76f047bf277ea003e29454546157d12cac993123b40fc

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network Persistent State~RFe5dfbf7.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\TransportSecurity

Filesize
372B

MD5
1c5cb193a753bd2d4b256bc21aab378d

SHA1
72750ed441110f662139a8fe0455828867224149

SHA256
850e764531263e9983739896fd8a8f176b01bb1cea8ca05bc6e4b24c9144ae93

SHA512
cfab5c458c879fe06d46474e3a032ae45edfead5b3c1e789e0ad08e1b07c05c25713985dea1c7626a452a48d1e936f3758480d517dd9db5e442002f42e8bd935

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\TransportSecurity

Filesize
372B

MD5
9b79495191be42d66fa894674d568bf2

SHA1
95d1e707dc829fec230a85466e96c4bdd05a8821

SHA256
8ecf05f968f5dfc09400bd82d1156a101f7483dbace7505c7a3723aacb91ce22

SHA512
f99a51928f6a6361385d87386b100f215bb1b52343edfcf9c71159a1810db33a9d2b2b69d14f44ef065d147a76c9ff768170210bb2a0e7994aee73e14f742efe

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\TransportSecurity

Filesize
372B

MD5
baf90365285420509838001f9144384f

SHA1
40fbd6c9742b2326f6228de533f081bddc924cab

SHA256
b5432f1bd9e6aa76b785c8190c5b1eb8412f65edfb1ee2453fc54847330514be

SHA512
9108a712ba33f09079c952baee58d08ac3f77f44941e4dee43993bb9b00d774f065ebbb917c839be542e56731e0858c7a6baea1225ae861d86b9776a9d558dca

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\TransportSecurity

Filesize
372B

MD5
0c71004c41656301f6758c3786f8a0b1

SHA1
cc02b4fb78fe191950d51c7bf580d02bf2e175b0

SHA256
996054dcf3a8eb02d02736398e874bf93f671bd5f18924b9b5c64e5803797261

SHA512
62308b30e77a034a6f3c7a091b8c12b6f2a3e5b090967af3d22ee80001e907bb054cc7585e94488e5f7475c22e0bc736810c029061e1aa963f3d8b5e886298fa

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\TransportSecurity

Filesize
372B

MD5
41f1398f61ab6ed0992e261f050e90ed

SHA1
a3298c382651ef9717b13f663b6f3592f8e6df9e

SHA256
b7e6ff7a900b4fd00582b834b3b4bea93bef9c48d284bc3b90e28849d2d863eb

SHA512
2524c04fd4cf22b2cca113477bb04e60925ff31bd38e2ca2b2827998ebe904a1d0270a4317285e3ca536d8d8e95fd05ab1f9b99d86542e60eb4c933bebf3d2fb

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\TransportSecurity

Filesize
372B

MD5
505426d213185aa6dc9b1742e17d8174

SHA1
047e3648596d58ad63aa567aef36ed5653284473

SHA256
b07ae5837d21d17c5af9efafa45aa67e27923e6f07304b6c6776132a7762faba

SHA512
cf175316c83a944e0bda8f203c190b5f9e649c0df94daa82355e1fcf25e16d0f4aaa1882d5802b5c2418e4c465821b172c45ab787ca2f177d559864f0618b550

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\UserPrefs.json

Filesize
1KB

MD5
7fa3fe611fca4f53a03fc4db29a15acf

SHA1
d4ea0e98faf09ef227204252a00a0efec8ca5fd6

SHA256
f5dbead485e13ccd03012c30e21cbd82a7ea3d5d702661d9b5066cf3b15a019d

SHA512
03c3690779ebabc7d04cb9077f4aa0c97355642521fbed24d2f2142b719a74b5bd6c49e87c345e58316f63f42b579bbe662bdbca88ed70da7e863b93cc2e4502

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaADD6.tmp\StdUtils.dll

Filesize
99KB

MD5
98a4efba4e4b566dc3d93d2d9bfcab58

SHA1
8c54ae9fcec30b2beea8b6af4ead0a76d634a536

SHA256
e2ad7736209d62909a356248fce8e554093339b18ef3e6a989a3c278f177ad48

SHA512
2dbc9a71e666ebf782607d3ca108fd47aa6bce1d0ac2a19183cc5187dd342307b64cb88906369784518922a54ac20f408d5a58f77c0ed410e2ccf98e4e9e39a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaADD6.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaADD6.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaADD6.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaADD6.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaADD6.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
11KB

MD5
1623cf43145c21970555a845411a583e

SHA1
ba7562a7dc32699a638a4be15eb224662c5e1076

SHA256
74a57e1b05d7fc77cc7ecd4ec63bb954fe5d15b81bd85b3de573811b1d245442

SHA512
06a191f570488eb36ebdfe81140de09e92c1d8d7d2b5baab486b6f4471d6746e3afb94d674f7316276704ebe05a38eb9a775ac6618e44b98855a38abe2b16f1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
11KB

MD5
fd5329b26d48032f2ffd2431fa041508

SHA1
eb3f92cb41ba548d3ea48fac80321cba05acfb00

SHA256
641fdedc1e6beb2c10505b4d419545a81a9881be9aeb69b151abf4d4a7614cc1

SHA512
c4d3777138419672581780a761ec59ae03ac37234e1d31903fc57bb476d45672ef50783d298bd945875f85cc0d824c7b39889854da1f4669ddc99968bbfaa2d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
11KB

MD5
b1498b0e617d8167d1f6635fb76babf8

SHA1
aea53654ff060cc53478abb84dce2a6ada7fe051

SHA256
ffc7101b23a19ab0e1e8408aaeb5d8f6c6e9b1f7f9b80988e966e392414cd59f

SHA512
f6e8a40cc0dc64a60c89648fd4a10db5a68b6a6cd362e64c79bb87b67e8ccaf789c9ddb141a021f5a191f45e2968cd6c49edbcb5709da74478a74f8826d00ced

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
6KB

MD5
6492db8bcdd467046b367fb0d33c21a2

SHA1
ee431efd1ba04d13e0bd427d0cf94b2ebf47ecd1

SHA256
56ddfe468d241ab90fa9a42ef43e63115e06ace80bbb49cba50c8a24664ea87d

SHA512
6b427f657eb1e348986c07f28720332e7ef3899514f960662513a1c5d78823316d2b96acbf27249fb2a3ae8273cd3aaf49c58dcfc8002e6b17175525b73fb574

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
11KB

MD5
776f958bbb0534ad01bc4d60b56d95da

SHA1
6e27db43ad11b5c670ce7c7c25d041b9d8df566a

SHA256
54aa42362462589c46d0316f7a53cc426c5e0c222f60b507094324a5c563dfcb

SHA512
330af487e496afbed23b6ad0a32976475faa062698991cb3300b5ed08b2d0d5432a78825b81ece27bf77f818543d9841c093506283bfedf42cdb876f753ef5f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
6KB

MD5
709989399c84608351bb0be308d06332

SHA1
f662db309315a8dd51d5824b1ff4ef204dec59bd

SHA256
d12d40d060b2e1dd951259512310d05bb4378b3f0f90fa5b46ff487c77cd2bfb

SHA512
d780b2332f523384d5a8a77bd11690c8b10b445a0a9d391e5af2c9c8a5f780752d20c9e88fff8caeeee8dbe2bf8852d33896949aea9b077ea95d7fa123ccfb46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
11KB

MD5
1151f543e7b1894ed3ed30d6c57a6350

SHA1
0e4f1a8de613cd16ab17e0e02114a19e1984cf85

SHA256
2dbf0e3e0f811957b6da66e0f045c2ec31ef29328c419c7a55c446a503491890

SHA512
34de2b9f4a8f907808c59bde980949a2dbe665d0cd991c7508048c75863e891703d148a0cb3d61b5b25a89a7041e93ae60b7a8903fa214d040cb137abff3d2d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
11KB

MD5
61588ec19be55a3da61090c07cb15051

SHA1
734930ac7aa90e4d8a27646d5db283193149fc66

SHA256
fca39476bdd76fa85dd7238daaa54d9b74fce5efbc6d248aad56d94a6e4a8586

SHA512
a2235f9d5f5d47a7f4413b2e373e37fa6f093a0cd62824a7e2e7c42c6c1fc8b87785932c15bc6b1ad9148ba233e81e5072957d42ee620fd043cc2893fd215827

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d356105fac5527ef.customDestinations-ms

Filesize
6KB

MD5
0efeaab846fe88423ac7319e66f149c2

SHA1
bddceddec2e1e665f979a60db3962830153a1e20

SHA256
c541d47db08b814c74ce35df1ff8a3d6de3ab596a43add8207799d6d886ec116

SHA512
b88603b5211273ac22286c5ca3578447d2bd2aca012662c5f5a33c1494bfd067ffec477f574f232776258e3ac1cfd9b7ddc56d1f7566a27f31d3a2b97373299b

Download Submit
C:\Users\Admin\Desktop\CloseMove.ppsx

Filesize
338KB

MD5
3d2176729376257e97a5119f10d9a12e

SHA1
2bef187848412a5138dd165872c61deed44ccb40

SHA256
92ec7233588aa232cd6479c02b6364e65a3ff5644d3c3631513734a6f847e652

SHA512
7026fb9cebcebf642b1918ebea0e994a0db267825fa82c1a2b57a962e46f40b3f7eb3ede37d7fec6bd5fa3c297beb0f7f4441022224ffb2118b231fd086a402e

Download Submit
C:\Users\Admin\Desktop\CompareUndo.search-ms

Filesize
447KB

MD5
f0cb76be2fe990f9c12b4ac4fea17fc7

SHA1
01343143917993ecfc85c043b25c089112d309a6

SHA256
dbc2e4516485aa7aa1b068d82fff43a900bce83099b0d061c47dba954d95eff4

SHA512
4c6b08da96ca0efaad6a205df3d7b9ce37e5e640215646d4a7956a9cf3bd169061f9cdafb5962005f779df90e105d89d439792785d439f6a094dab716c73e01c

Download Submit
C:\Users\Admin\Desktop\CompressCheckpoint.mpeg

Filesize
501KB

MD5
e8e64f3be2af3ba334bd1d8f57590319

SHA1
084dcdb4eb082c8d0077eb7f26ba533e64c5399c

SHA256
28dcdd537e0c5c3024b551608262fe8addd4697d509f1d883c8b0126b9b01fe0

SHA512
c7b00109a84604bc7deb331d9c8d7e20247eb5db88d79f5f9930faa34e57c034c873fddbad6b852e6d3bee6a7a8f7912509ae01359492307a825576451a64b28

Download Submit
C:\Users\Admin\Desktop\ConvertToUnregister.mp3

Filesize
474KB

MD5
e273d5d5fe7c955538309c958b3480a1

SHA1
db13903e1102165bf61e8a24667e16506532ea5e

SHA256
cf9e89cdca4735d58a4fdf7477bf1662bdf897ebac70df8c4682054103596c6d

SHA512
3cd838c1bb4acef8f0b807a861550a7eb1eab1f917cbf576f24091a36ef13ad8e306d9ae517358231cf26fe7034a6b064fca101638f4e0de055bf37c5b459b0d

Download Submit
C:\Users\Admin\Desktop\CopyUnlock.emf

Filesize
555KB

MD5
a86386c1ab0c50aba68629ef6c99f5ad

SHA1
097351b56b79b1c5331291f4d4b213088ce23991

SHA256
d492a20967dbf64e0be35b9994606be5d83aae3601b89bd46f2dfdc3d3273df1

SHA512
f44bae48dc4b6e9dbef0150b2830f5166efc34063c3ecb489e1bb0138b025dcd4c1990c10172948bbe1bd12a3b8b6c33d52151666a9d69eca8a11dc87b45bcec

Download Submit
C:\Users\Admin\Desktop\DebugProtect.cab

Filesize
392KB

MD5
f7fb05a8d37d4b0f2da61c2e50e112a4

SHA1
c5cec05d4657f9ad4539f3e3a3c3960a32bdfedc

SHA256
d44498ca1ef9a38ca28bba94ce218bd5d3e89421f55aa9540fe6105978f2a2f5

SHA512
2566220af0c4698a80087a821d3d1e4a02145a39e8d2a8c193117ec214a821999fa39567c533eac1be1f2e1c450f8f70d1b9e48025ae3a6a8041da2366e13281

Download Submit
C:\Users\Admin\Desktop\DismountMove.ogg

Filesize
582KB

MD5
daa547a7b21abba2a7129174136f8390

SHA1
eb0cc68cca513820641a05c4e3fda7030425a90b

SHA256
1f36a51e2d5ca795d483eb95767412b30c1a8f333f88922ef007b6fc25e44299

SHA512
b7655f441be0a232ada6a9d31b40ab2924a86934dd46f2acf991d77d02d0fb8c801361b94ea41cf00566b36d4963b3d9f9d26b4f97161907c12dbccf6bedad2b

Download Submit
C:\Users\Admin\Desktop\ExpandSplit.asf

Filesize
609KB

MD5
e4512619039e6aac8e8b6b83bd7a949a

SHA1
ec0449182656272145a8a8130e0ee31bf4ab5e41

SHA256
cb5dcacedba10e6c69b2ea37eb9931e22fd3aac87d26ba4bb3a32826a4adff78

SHA512
e8daf9e5d449f51580e7d76d7fb8e9c02b9c938dd3795d6781d0039ab2fcda12ba5f870a84e85e46a689d6f23fc1da8833cea4f5da63f7fb08d264be62db28dd

Download Submit
C:\Users\Admin\Desktop\FormatConfirm.odt

Filesize
718KB

MD5
111924757c3e35db431f764f749b8c99

SHA1
c5093d94606fa0ad88c49804af1eeaf5945ac7ac

SHA256
0f867e9d0930615cea9a4fb35d1abb8139275180593313b9011113507fe168d0

SHA512
05119a6fe3ef3102e7dc3828f1ca589d440391ca14f624f17881a2c48ec0be63cf8ba4a00812a9aa231b72808c5a61792ab90fe766a0dea959a258bce75710d3

Download Submit
C:\Users\Admin\Desktop\HideSync.xlsb

Filesize
745KB

MD5
2bd20359c6b8013deeb0709a2be105d1

SHA1
03df5bf81ee3888ffa6b19ae5b673e12f20ea092

SHA256
5927b2aa6069982621ee702df5c61f9813aae07233b192d088adda7a197c782b

SHA512
ba0b6765d559a5c47662e311d4d1eb5d12298768d80af6e38cfca0ac4b5cf4c9add20908649326f61227af205a337485145ca6dcd3bf8eb199958ec0e85745ea

Download Submit
C:\Users\Admin\Desktop\InitializeUnlock.css

Filesize
311KB

MD5
767192db2416816bd4f7dfac2b531d2d

SHA1
c7baa071ed5ebf47bac79c05239725d3881c6924

SHA256
8d917e3d3ee68a8ed88241c0f5a6fba9681bcd571e0b7c9f1d3c83bbd084d3b9

SHA512
8e063c359bdcf3b8150907a6501a29c2ec05dbcec3bca13a9405b7bd16b1eca574f2cb4382e53c5983ec0bfd94ccaf93778b6f272b711d78b4a5c73327ec8775

Download Submit
C:\Users\Admin\Desktop\InvokeHide.ADT

Filesize
799KB

MD5
6ff90824af9b7d13337283351fa5aad6

SHA1
69893b625c4800dac211f84a2997b1fbeec93881

SHA256
56e057ac629f13595ae074804ef9dad9c4694bf6ddae7f1f40f51ea219647075

SHA512
b437170ab30a8cc572c05ad4691adcb2aa67d008e9ba917441522d51f4deac0e9e2d92a463026fc83f8724dd4d409a782e0268320570df05ddff569cfd7835aa

Download Submit
C:\Users\Admin\Desktop\JoinAssert.css

Filesize
1.2MB

MD5
753bdcd82cd29b39a2fd8121a539cc8d

SHA1
913ab15e4c45b42863eb0c23ba8cc6bed0106004

SHA256
2df5d37256ba8b0fac839f8ebcecab548c6c23374afba768cb84bf3ed056f1be

SHA512
0f0e8db444b17c4955ce1819c53114a3ef7628218b591182479b5acadb0317953458d7c4e4462c05d9533da5dccdc27747d808abe97a06d5e89d0616bb7905b8

Download Submit
C:\Users\Admin\Desktop\MergeDisconnect.dxf

Filesize
528KB

MD5
a0de458c89d787eb30f4cee2acd8c14e

SHA1
c1e3b91760cca1b109cd590489c9bd2a558be51f

SHA256
3179371ab438feaf3b4e5ca898850f874ac237d914e571c2e3e461bd5a646691

SHA512
b4b440a0be67e8dc11355a103676a6a679f8bc37ec2c13051a7e72ca32d105a7677185feb6e0685975d14272b8574b0b0dfcb50b60c61d56ad49855582591c47

Download Submit
C:\Users\Admin\Desktop\MoveReceive.dll

Filesize
365KB

MD5
2b1c64d5558a42546e34ff298a463d59

SHA1
375d037023bed86ec834f2e74fc5afb511d908be

SHA256
f51b562ffe4566fd30cee172fbd62760d1f2bb23f190ba3bd4828fc53f66d614

SHA512
89730a62879aa6352d15e54e4fa95eddc0a5ce52e131daf814965360db6f2d21b7434ea874a921b210212185316a682a9ab0a8b479f44d970b95a946ace32a14

Download Submit
C:\Users\Admin\Desktop\RepairSearch.asf

Filesize
691KB

MD5
7592c1afb3c4bdd7627ddcfe73f8cbf9

SHA1
1c56f60c22269cebb0f7a69f9e4d3c00a9816e63

SHA256
2e1b073dc85e2c388f683c93370606bafe37a6306a91cac0140c856d500ba1f0

SHA512
ddb9ea572b5e3254fb5e40178b9dd0422509ab1ffbf39b95b6f9edc2968be8893e21960c22e7d857b0abe0dc537c5a91130159f018b1aead86039c0240caa778

Download Submit
C:\Users\Admin\Desktop\ResolveRepair.ttc

Filesize
880KB

MD5
59d17e206ddcc1904745a4fe3e201448

SHA1
abe77e0e2c72f86247b7bf1e22203e92f7b47cc5

SHA256
5cfe3e93cab9294c9b81043b736b89eaad1ff702d47f0f1b7b71ce9e919df395

SHA512
b530e48d30ff30ca399de8b389a9e0dcb6a7a05fa690f4aa211c4e0561b1fbb64ad51bfd224855e8e71183418f56c107d8da049bbfbec7296d8502dc80cc6b18

Download Submit
C:\Users\Admin\Desktop\StopJoin.m3u

Filesize
772KB

MD5
e413b282d232e8cc51bdb89d916ad35e

SHA1
84258481e2e65311e8ef7b6d4431efe8e494be79

SHA256
ca9abddd994fa91e766ba2154cc72e7cb760f925be25922076222c5997b841f7

SHA512
377cb6f7845abab86d5a9290953920d0925481c6691df4b57abe0976f2d07caccbb58c9ab859286b6ab745b8f25f2cbdad262704c057a861782c3c8b54cf3966

Download Submit
C:\Users\Admin\Desktop\UnprotectResume.sql

Filesize
663KB

MD5
bbb415c28db8af98667ea6a43145a135

SHA1
8b56b304302b4af99e7a44df1c40c32a0181c256

SHA256
4fdb65c60c440e0b1566e9281683c7d6a36084c51f76d29f8227fdac432062ed

SHA512
d1b681bd0d5987701a806f622c7789c2532baf62becb2be9252ae56e95c1e8dda626df80e430520f4980def15e34bd66d44453a9accb1bd900e0f6ffd8f6f02c

Download Submit
C:\Users\Admin\Desktop\UnpublishCheckpoint.ps1xml

Filesize
853KB

MD5
2465db35c50636e0b662d95aaa804058

SHA1
4945a8c36783b339989c951ef61efbff12d5cde0

SHA256
c6858eedfc64f9f32e4d6438f72fbfc73b1ed70c2050c0de8b4bb6767870df45

SHA512
85d2310bb26f3e1595e264e53d6213e4d2fd7976b72d6ccb40d027af552fe8c9a07818f90e23777c3c1f9af3968510fb981bfd7cc283daf68138098674368795

Download Submit
C:\Users\Admin\Desktop\UnregisterMeasure.docx

Filesize
420KB

MD5
d3d38bc877cb6768c0e261ac4c4f16b7

SHA1
240c42e57a77950e620639dd3ceb30d3e1983bed

SHA256
f375f80e8dbb8b0debd74675767b5e81e4c1b3063f70eac648f827cdefbc9c83

SHA512
6fb1486dbfd66635433d9e0110e8e884fb1768f9b00440a03546e93e59829408da2bedfe95a1e1cdf1ebf241d70986bd0730559e9be0b7281e76a98e3b382290

Download Submit
C:\Users\Admin\Desktop\WaitEdit.wav

Filesize
636KB

MD5
41fd643195a7566ee9bcfafaddbdfde6

SHA1
4d2ffc90f4292b6e67ce2869eef18a9c739d2d04

SHA256
b5ea43003a74284362a05ec78035d8537ef55ce9aeecdf3838890c9a4b912662

SHA512
e64aa1a7dc7a3fffb74c876e97afac4b8ef22934c972d97fad47b53dcf815681236ecf694cc3e9f2fd7e24d6fd011fd8c1fac18f6799a2a9b0cf07f213879551

Download Submit
C:\Users\Admin\Desktop\WatchResize.temp

Filesize
826KB

MD5
cac5553582be4dc9d0afb28e3659e0d5

SHA1
a0ca46bc5ec3ddedd05ee63f944e5871e35f7b14

SHA256
66601d3e24fba78eeb5aaa8e5ed496912a1487b017dff5e941d1183f0c21b092

SHA512
e4222305d788ad8aeba254836560c055dd94b3530071fa7d79946b9d45c83716d2cae5854e254cf191ae2e5dbc5053a0c10f53a4d70377889ed9f0bd078b1998

Download Submit
memory/2736-12397-0x0000000000F00000-0x0000000001376000-memory.dmp

Filesize
4.5MB

Download
memory/8128-12501-0x0000000070070000-0x0000000071367000-memory.dmp

Filesize
19.0MB

Download
memory/8128-12471-0x0000000070070000-0x0000000071367000-memory.dmp

Filesize
19.0MB

Download
memory/8128-12522-0x0000000070070000-0x0000000071367000-memory.dmp

Filesize
19.0MB

Download
memory/8128-12517-0x0000000070070000-0x0000000071367000-memory.dmp

Filesize
19.0MB

Download
memory/8128-12511-0x0000000070070000-0x0000000071367000-memory.dmp

Filesize
19.0MB

Download
memory/8128-12506-0x0000000070070000-0x0000000071367000-memory.dmp

Filesize
19.0MB

Download
memory/8128-12534-0x0000000070070000-0x0000000071367000-memory.dmp

Filesize
19.0MB

Download
memory/8128-12496-0x0000000070070000-0x0000000071367000-memory.dmp

Filesize
19.0MB

Download
memory/8128-12482-0x0000000070070000-0x0000000071367000-memory.dmp

Filesize
19.0MB

Download
memory/8128-12544-0x0000000070070000-0x0000000071367000-memory.dmp

Filesize
19.0MB

Download
memory/8128-12539-0x0000000070070000-0x0000000071367000-memory.dmp

Filesize
19.0MB

Download
memory/8128-12529-0x0000000070070000-0x0000000071367000-memory.dmp

Filesize
19.0MB

Download
memory/8368-12478-0x000001D026AA0000-0x000001D026B4E000-memory.dmp

Filesize
696KB

Download
memory/8368-12404-0x00007FFD7FB50000-0x00007FFD7FB51000-memory.dmp

Filesize
4KB

Download
memory/8892-12479-0x0000026A89BE0000-0x0000026A89C8E000-memory.dmp

Filesize
696KB

Download
memory/8892-12423-0x00007FFD7EA80000-0x00007FFD7EA81000-memory.dmp

Filesize
4KB

Download
memory/8892-12422-0x00007FFD80730000-0x00007FFD80731000-memory.dmp

Filesize
4KB

Download
memory/8892-12480-0x0000026A89CD0000-0x0000026A8A13C000-memory.dmp

Filesize
4.4MB

Download
memory/8892-12481-0x0000026A8A140000-0x0000026A8A19D000-memory.dmp

Filesize
372KB

Download