1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

Analysis

max time kernel
562s
max time network
516s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
19-02-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dControl.exe
Size

447KB
MD5

58008524a6473bdf86c1040a9a9e39c3
SHA1

cb704d2e8df80fd3500a5b817966dc262d80ddb8
SHA256

1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
SHA512

8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
SSDEEP

6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
4680	SteamSetup.exe
4456	steamservice.exe
4624	steam.exe
1512	steam.exe
26924	steamwebhelper.exe
10768	steamwebhelper.exe
12140	steamwebhelper.exe
27244	steamwebhelper.exe
27492	gldriverquery64.exe
3760	steamwebhelper.exe
2280	gldriverquery.exe
4708	vulkandriverquery64.exe
6084	vulkandriverquery.exe
14648	dismhost.exe

Loads dropped DLL 64 IoCs

pid	Process
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
26924	steamwebhelper.exe
26924	steamwebhelper.exe
26924	steamwebhelper.exe
26924	steamwebhelper.exe
10768	steamwebhelper.exe
10768	steamwebhelper.exe
10768	steamwebhelper.exe
1512	steam.exe
12140	steamwebhelper.exe
12140	steamwebhelper.exe
12140	steamwebhelper.exe
12140	steamwebhelper.exe
12140	steamwebhelper.exe
12140	steamwebhelper.exe
1512	steam.exe
27244	steamwebhelper.exe
27244	steamwebhelper.exe
27244	steamwebhelper.exe
1512	steam.exe
3760	steamwebhelper.exe
3760	steamwebhelper.exe
3760	steamwebhelper.exe
3760	steamwebhelper.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe
14648	dismhost.exe

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/288-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1992-21-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/288-22-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1992-43-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-44-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-94-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-95-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-96-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-110-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-111-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-114-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-115-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-123-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-124-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-125-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-126-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-260-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-284-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-298-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-855-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-1241-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-1361-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-2918-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-10218-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13432-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13442-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13523-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13524-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13599-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13650-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13736-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13738-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13739-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13740-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13741-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13742-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13743-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-13864-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-14077-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-14178-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-14179-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-14208-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3480-14364-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
215	raw.githubusercontent.com
222	raw.githubusercontent.com
190	camo.githubusercontent.com
207	raw.githubusercontent.com
209	camo.githubusercontent.com
213	camo.githubusercontent.com
212	camo.githubusercontent.com
208	camo.githubusercontent.com
208	raw.githubusercontent.com
210	camo.githubusercontent.com
211	camo.githubusercontent.com

AutoIT Executable 42 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1992-21-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/288-22-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1992-43-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-44-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-94-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-95-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-96-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-110-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-111-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-114-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-115-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-123-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-124-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-125-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-126-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-260-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-284-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-298-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-855-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-1241-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-1361-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-2918-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-10218-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13432-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13442-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13523-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13524-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13599-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13650-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13736-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13738-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13739-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13740-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13741-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13742-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13743-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-13864-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-14077-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-14178-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-14179-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-14208-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3480-14364-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0334.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_090_media_0180.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_down_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_touchpad_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_lb_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_lstick_down_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_buy_down.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\icon_folder.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_buttons_e_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_lt_soft_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_rtrackpad_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_030_inv_0308.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_040_act_0327.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_045_move_0225.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steambootstrapper_russian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_touchpad_left_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_rstick_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_dpad_down.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_lstick_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\DialogCheckForUpdates_Expanded.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\mic_meter_dead.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steambootstrapper_brazilian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\vgui_japanese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_r_down_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\chunk~2dcc5aaf7.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_rstick_down_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_rb.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_ring_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_color_outlined_button_b_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamclean_brazilian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_hungarian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_l_touch_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_button_a_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\layout\settingssubbroadcast.layout_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_050_menu_0130.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\xbox_360_latam.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\xbox_lt.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_rtrackpad_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_mouse_scroll_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_outlined_button_triangle_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0317.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\inbox_notification_disabled.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_ltrackpad_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_color_outlined_button_b_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_outlined_button_x_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_color_button_x_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_l4_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_lstick_left_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\FriendInvitationNotification.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\cef_200_percent.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\Steam.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_rtrackpad_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_lstick_up_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_button_square_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_button_steam_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_outlined_button_b_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_040_act_0326.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_dpad_left.svg_	steam.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\SystemTemp\tem4818.tmp	Clipup.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
27144	sc.exe
23896	sc.exe
8668	sc.exe
8616	sc.exe
10216	sc.exe
9800	sc.exe
23736	sc.exe
8708	sc.exe
23952	sc.exe
8076	sc.exe
11652	sc.exe
11668	sc.exe
10048	sc.exe
23852	sc.exe
7676	sc.exe
8724	sc.exe
8436	sc.exe
12404	sc.exe
9916	sc.exe
9328	sc.exe
8492	sc.exe
23236	sc.exe
5424	sc.exe
8696	sc.exe
23916	sc.exe
8112	sc.exe
7832	sc.exe
9792	sc.exe
8084	sc.exe
7892	sc.exe
9124	sc.exe
23908	sc.exe
8580	sc.exe
8404	sc.exe
8328	sc.exe
11576	sc.exe
11604	sc.exe
11620	sc.exe
9580	sc.exe
23900	sc.exe
9100	sc.exe
12188	sc.exe
9568	sc.exe
8568	sc.exe
12352	sc.exe
6864	sc.exe
9672	sc.exe
9464	sc.exe
9456	sc.exe
8596	sc.exe
10796	sc.exe
23412	sc.exe
8764	sc.exe
8680	sc.exe
8636	sc.exe
23928	sc.exe
8480	sc.exe
8452	sc.exe
12112	sc.exe
9680	sc.exe
9904	sc.exe
8736	sc.exe
23932	sc.exe
10092	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	clipup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	Clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	clipup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	clipup.exe

Checks processor information in registry 2 TTPs 49 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\	steamwebhelper.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\	steamwebhelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-1002246581-1510179080-2205450789-1000_Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
9728	reg.exe
9040	reg.exe
8880	reg.exe
13616	reg.exe
10168	reg.exe
10008	reg.exe
8204	reg.exe
8912	reg.exe
9620	reg.exe
23652	reg.exe
9828	reg.exe
9276	reg.exe
9208	reg.exe
9988	reg.exe
7652	reg.exe
9412	reg.exe
9136	reg.exe
8900	reg.exe
10196	reg.exe
9528	reg.exe
9000	reg.exe
7684	reg.exe
23456	reg.exe
9548	reg.exe
23640	reg.exe
7692	reg.exe
23516	reg.exe
9784	reg.exe
9380	reg.exe
23812	reg.exe
27236	reg.exe
9304	reg.exe
23756	reg.exe
9504	reg.exe
9016	reg.exe
10124	reg.exe
9852	reg.exe
10132	reg.exe
8832	reg.exe
10208	reg.exe
10152	reg.exe
7436	reg.exe
23716	reg.exe
9700	reg.exe
9664	reg.exe
23672	reg.exe
9296	reg.exe
8976	reg.exe
8924	reg.exe
13668	reg.exe
7188	reg.exe
9892	reg.exe
9712	reg.exe
9480	reg.exe
9372	reg.exe
23696	reg.exe
9820	reg.exe
23532	reg.exe
23468	reg.exe
9612	reg.exe
9400	reg.exe
23452	reg.exe
9080	reg.exe
9652	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	steam.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MAS_AIO.cmd.txt:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
17360	NOTEPAD.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
7472	PING.EXE
10316	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
288	dControl.exe
288	dControl.exe
288	dControl.exe
288	dControl.exe
288	dControl.exe
288	dControl.exe
1992	dControl.exe
1992	dControl.exe
1992	dControl.exe
1992	dControl.exe
1992	dControl.exe
1992	dControl.exe
3480	dControl.exe
3480	dControl.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
4680	SteamSetup.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
27244	steamwebhelper.exe
27244	steamwebhelper.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe
1512	steam.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3480	dControl.exe
1512	steam.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	288	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	288	dControl.exe
Token: SeIncreaseQuotaPrivilege	288	dControl.exe
Token: 0	288	dControl.exe
Token: SeDebugPrivilege	1992	dControl.exe
Token: SeAssignPrimaryTokenPrivilege	1992	dControl.exe
Token: SeIncreaseQuotaPrivilege	1992	dControl.exe
Token: SeDebugPrivilege	424	taskmgr.exe
Token: SeSystemProfilePrivilege	424	taskmgr.exe
Token: SeCreateGlobalPrivilege	424	taskmgr.exe
Token: 33	424	taskmgr.exe
Token: SeIncBasePriorityPrivilege	424	taskmgr.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeDebugPrivilege	4680	SteamSetup.exe
Token: SeDebugPrivilege	4680	SteamSetup.exe
Token: SeDebugPrivilege	4680	SteamSetup.exe
Token: SeDebugPrivilege	4680	SteamSetup.exe
Token: SeDebugPrivilege	4680	SteamSetup.exe
Token: SeSecurityPrivilege	4456	steamservice.exe
Token: SeSecurityPrivilege	4456	steamservice.exe
Token: SeDebugPrivilege	17800	firefox.exe
Token: SeDebugPrivilege	17800	firefox.exe
Token: SeDebugPrivilege	14840	firefox.exe
Token: SeDebugPrivilege	14840	firefox.exe
Token: SeDebugPrivilege	14840	firefox.exe
Token: SeDebugPrivilege	11284	powershell.exe
Token: SeDebugPrivilege	11116	powershell.exe
Token: SeIncreaseQuotaPrivilege	23200	WMIC.exe
Token: SeSecurityPrivilege	23200	WMIC.exe
Token: SeTakeOwnershipPrivilege	23200	WMIC.exe
Token: SeLoadDriverPrivilege	23200	WMIC.exe
Token: SeSystemProfilePrivilege	23200	WMIC.exe
Token: SeSystemtimePrivilege	23200	WMIC.exe
Token: SeProfSingleProcessPrivilege	23200	WMIC.exe
Token: SeIncBasePriorityPrivilege	23200	WMIC.exe
Token: SeCreatePagefilePrivilege	23200	WMIC.exe
Token: SeBackupPrivilege	23200	WMIC.exe
Token: SeRestorePrivilege	23200	WMIC.exe
Token: SeShutdownPrivilege	23200	WMIC.exe
Token: SeDebugPrivilege	23200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	23200	WMIC.exe
Token: SeRemoteShutdownPrivilege	23200	WMIC.exe
Token: SeUndockPrivilege	23200	WMIC.exe
Token: SeManageVolumePrivilege	23200	WMIC.exe
Token: 33	23200	WMIC.exe
Token: 34	23200	WMIC.exe
Token: 35	23200	WMIC.exe
Token: 36	23200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	23200	WMIC.exe
Token: SeSecurityPrivilege	23200	WMIC.exe
Token: SeTakeOwnershipPrivilege	23200	WMIC.exe
Token: SeLoadDriverPrivilege	23200	WMIC.exe
Token: SeSystemProfilePrivilege	23200	WMIC.exe
Token: SeSystemtimePrivilege	23200	WMIC.exe
Token: SeProfSingleProcessPrivilege	23200	WMIC.exe
Token: SeIncBasePriorityPrivilege	23200	WMIC.exe
Token: SeCreatePagefilePrivilege	23200	WMIC.exe
Token: SeBackupPrivilege	23200	WMIC.exe
Token: SeRestorePrivilege	23200	WMIC.exe
Token: SeShutdownPrivilege	23200	WMIC.exe
Token: SeDebugPrivilege	23200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	23200	WMIC.exe
Token: SeRemoteShutdownPrivilege	23200	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
3480	dControl.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe
424	taskmgr.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3556	MiniSearchHost.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4680	SteamSetup.exe
4456	steamservice.exe
1512	steam.exe
17800	firefox.exe
14840	firefox.exe
14840	firefox.exe
14840	firefox.exe
14840	firefox.exe
14840	firefox.exe
14840	firefox.exe
14840	firefox.exe
16116	firefox.exe
10088	firefox.exe
10088	firefox.exe
10088	firefox.exe
10088	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4868	4696	firefox.exe	100
PID 4696 wrote to memory of 4868	4696	firefox.exe	100
PID 4696 wrote to memory of 4868	4696	firefox.exe	100
PID 4696 wrote to memory of 4868	4696	firefox.exe	100
PID 4696 wrote to memory of 4868	4696	firefox.exe	100
PID 4696 wrote to memory of 4868	4696	firefox.exe	100
PID 4696 wrote to memory of 4868	4696	firefox.exe	100
PID 4696 wrote to memory of 4868	4696	firefox.exe	100
PID 4696 wrote to memory of 4868	4696	firefox.exe	100
PID 4696 wrote to memory of 4868	4696	firefox.exe	100
PID 4696 wrote to memory of 4868	4696	firefox.exe	100
PID 4868 wrote to memory of 288	4868	firefox.exe	101
PID 4868 wrote to memory of 288	4868	firefox.exe	101
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 3148	4868	firefox.exe	102
PID 4868 wrote to memory of 1192	4868	firefox.exe	103
PID 4868 wrote to memory of 1192	4868	firefox.exe	103
PID 4868 wrote to memory of 1192	4868	firefox.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\dControl.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:288
- C:\Users\Admin\AppData\Local\Temp\dControl.exe
  C:\Users\Admin\AppData\Local\Temp\dControl.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\dControl.exe
    "C:\Users\Admin\AppData\Local\Temp\dControl.exe" /TI
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:836

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:424

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Windows\WinSxS\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_10.0.22000.1_none_eba50eb553865eda\cmd.exe
"C:\Windows\WinSxS\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_10.0.22000.1_none_eba50eb553865eda\cmd.exe"
1⤵
PID:1468
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /c ""C:\Users\Admin\Downloads\MAS_AIO.cmd" r1"
  2⤵
  PID:22704
- - C:\Windows\System32\sc.exe
    sc query Null
    3⤵
    - Launches sc.exe
    PID:6864
- - C:\Windows\System32\find.exe
    find /i "RUNNING"
    3⤵
    PID:6868
- - C:\Windows\System32\findstr.exe
    findstr /v "$" "MAS_AIO.cmd"
    3⤵
    PID:6888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "r1" "
    3⤵
    PID:22736
- - C:\Windows\System32\find.exe
    find /i "/"
    3⤵
    PID:6904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:6916
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:22760
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:22764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    PID:22792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      PID:22812
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:22816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\MAS_AIO.cmd" "
    3⤵
    PID:22832
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:7192
- - C:\Windows\System32\reg.exe
    reg query HKCU\Console /v QuickEdit
    3⤵
    - Modifies registry key
    PID:7188
- - C:\Windows\System32\fltMC.exe
    fltmc
    3⤵
    PID:22852
- - C:\Windows\System32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:5372
- - C:\Windows\System32\reg.exe
    reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "0" /f
    3⤵
    PID:7204
- - C:\Windows\System32\cmd.exe
    cmd.exe /c ""C:\Users\Admin\Downloads\MAS_AIO.cmd" r1 -qedit"
    3⤵
    PID:22880
  - - C:\Windows\System32\reg.exe
      reg add HKCU\Console /v QuickEdit /t REG_DWORD /d "1" /f
      4⤵
      PID:7252
  - - C:\Windows\System32\sc.exe
      sc query Null
      4⤵
      PID:7268
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:7276
  - - C:\Windows\System32\findstr.exe
      findstr /v "$" "MAS_AIO.cmd"
      4⤵
      PID:22896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "r1 -qedit" "
      4⤵
      PID:22904
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:7308
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:22928
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:22924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:22916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:7352
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:22944
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:22948
  - - C:\Windows\System32\find.exe
      find /i "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:7388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\Downloads\MAS_AIO.cmd" "
      4⤵
      PID:7384
  - - C:\Windows\System32\fltMC.exe
      fltmc
      4⤵
      PID:7420
  - - C:\Windows\System32\reg.exe
      reg query HKCU\Console /v QuickEdit
      4⤵
      Modifies registry key
      PID:7436
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:7440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -4 -n 1 updatecheck.massgrave.dev
      4⤵
      PID:22988
    - - C:\Windows\System32\PING.EXE
        
        ping -4 -n 1 updatecheck.massgrave.dev
        5⤵
        Runs ping.exe
        
        PID:7472
  - - C:\Windows\System32\find.exe
      find "127.69"
      4⤵
      PID:22996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.5" "
      4⤵
      PID:7460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "127.69.2.5" "
      4⤵
      PID:23004
  - - C:\Windows\System32\find.exe
      find "127.69.2.5"
      4⤵
      PID:7508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "r1 -qedit" "
      4⤵
      PID:23024
  - - C:\Windows\System32\find.exe
      find /i "/S"
      4⤵
      PID:11460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "r1 -qedit" "
      4⤵
      PID:11440
  - - C:\Windows\System32\find.exe
      find /i "/"
      4⤵
      PID:11432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
      4⤵
      PID:23036
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop
        5⤵
        
        PID:11400
  - - C:\Windows\System32\mode.com
      mode 76, 30
      4⤵
      PID:11388
  - - C:\Windows\System32\choice.exe
      choice /C:123456780 /N
      4⤵
      PID:11372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:11360
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\Console" /v ForceV2
      4⤵
      PID:23064
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:11344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
      4⤵
      PID:11328
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
        5⤵
        
        PID:11316
    - - C:\Windows\System32\cmd.exe
        
        cmd
        5⤵
        
        PID:23076
  - - C:\Windows\System32\mode.com
      mode 110, 34
      4⤵
      PID:23084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe $ExecutionContext.SessionState.LanguageMode
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:11284
  - - C:\Windows\System32\find.exe
      find /i "Full"
      4⤵
      PID:11276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:23136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:11116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
      4⤵
      PID:11024
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:11016
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:23200
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:10996
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:23236
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
      4⤵
      PID:10924
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:10916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku"
      4⤵
      PID:10676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); [void]$TypeBuilder.DefinePInvokeMethod('SLGetWindowsInformationDWORD', 'slc.dll', 'Public, Static', 1, [int], @([String], [int].MakeByRefType()), 1, 3); $Sku = 0; [void]$TypeBuilder.CreateType()::SLGetWindowsInformationDWORD('Kernel-BrandingInfo', [ref]$Sku); $Sku
        5⤵
        
        PID:23296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn 2>nul
      4⤵
      PID:10588
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions" /v OSProductPfn
        5⤵
        
        PID:10540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST" 2>nul
      4⤵
      PID:10524
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic Path Win32_OperatingSystem Get OperatingSystemSKU /format:LIST
        5⤵
        
        PID:10500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:7616
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
        5⤵
        
        PID:10356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 1 l.root-servers.net
      4⤵
      PID:10332
    - - C:\Windows\System32\PING.EXE
        
        ping -n 1 l.root-servers.net
        5⤵
        Runs ping.exe
        
        PID:10316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:10344
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:10292
  - - C:\Windows\System32\reg.exe
      reg query "HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
      4⤵
      PID:10300
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled
      4⤵
      PID:23400
  - - C:\Windows\System32\find.exe
      find /i "0x0"
      4⤵
      PID:10268
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:23412
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:10216
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DisplayName
      4⤵
      PID:10180
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Description
      4⤵
      Modifies registry key
      PID:10196
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v DependOnService
      4⤵
      Modifies registry key
      PID:10208
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ErrorControl
      4⤵
      Modifies registry key
      PID:10168
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ImagePath
      4⤵
      Modifies registry key
      PID:10152
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v ObjectName
      4⤵
      Modifies registry key
      PID:10132
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Start
      4⤵
      Modifies registry key
      PID:10124
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC /v Type
      4⤵
      PID:10108
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:10092
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      Launches sc.exe
      PID:10048
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DependOnService
      4⤵
      PID:10032
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Description
      4⤵
      Modifies registry key
      PID:10008
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v DisplayName
      4⤵
      Modifies registry key
      PID:9988
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ObjectName
      4⤵
      Modifies registry key
      PID:23456
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ImagePath
      4⤵
      Modifies registry key
      PID:23452
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v ErrorControl
      4⤵
      PID:23448
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Start
      4⤵
      PID:9944
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:9904
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:9916
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wlidsvc /v Type
      4⤵
      Modifies registry key
      PID:23468
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DependOnService
      4⤵
      Modifies registry key
      PID:9892
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Description
      4⤵
      PID:23488
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v DisplayName
      4⤵
      PID:9868
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ImagePath
      4⤵
      PID:9840
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:9852
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v ObjectName
      4⤵
      Modifies registry key
      PID:9828
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Start
      4⤵
      Modifies registry key
      PID:9820
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\sppsvc /v Type
      4⤵
      Modifies registry key
      PID:23516
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:9800
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:9792
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DependOnService
      4⤵
      Modifies registry key
      PID:9784
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Description
      4⤵
      Modifies registry key
      PID:23532
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v DisplayName
      4⤵
      PID:9752
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ErrorControl
      4⤵
      PID:23544
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ImagePath
      4⤵
      Modifies registry key
      PID:9728
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v ObjectName
      4⤵
      Modifies registry key
      PID:9712
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Start
      4⤵
      Modifies registry key
      PID:9700
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\KeyIso /v Type
      4⤵
      PID:9692
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:9680
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      Launches sc.exe
      PID:9672
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DependOnService
      4⤵
      Modifies registry key
      PID:9664
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Description
      4⤵
      Modifies registry key
      PID:9652
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v DisplayName
      4⤵
      PID:9640
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ErrorControl
      4⤵
      PID:23584
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ImagePath
      4⤵
      Modifies registry key
      PID:9620
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v ObjectName
      4⤵
      Modifies registry key
      PID:9612
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Start
      4⤵
      PID:9604
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager /v Type
      4⤵
      PID:23608
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:9580
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:9568
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DependOnService
      4⤵
      PID:9560
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Description
      4⤵
      Modifies registry key
      PID:9548
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v DisplayName
      4⤵
      PID:9536
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ErrorControl
      4⤵
      Modifies registry key
      PID:9528
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ImagePath
      4⤵
      Modifies registry key
      PID:23640
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v ObjectName
      4⤵
      Modifies registry key
      PID:9504
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Start
      4⤵
      Modifies registry key
      PID:23652
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt /v Type
      4⤵
      Modifies registry key
      PID:9480
  - - C:\Windows\System32\sc.exe
      sc start DoSvc
      4⤵
      Launches sc.exe
      PID:9464
  - - C:\Windows\System32\sc.exe
      sc query DoSvc
      4⤵
      Launches sc.exe
      PID:9456
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DependOnService
      4⤵
      PID:9440
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Description
      4⤵
      Modifies registry key
      PID:7652
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v DisplayName
      4⤵
      Modifies registry key
      PID:9412
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:9400
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ImagePath
      4⤵
      Modifies registry key
      PID:9380
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v ObjectName
      4⤵
      Modifies registry key
      PID:9372
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Start
      4⤵
      Modifies registry key
      PID:23672
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\DoSvc /v Type
      4⤵
      PID:9344
  - - C:\Windows\System32\sc.exe
      sc start UsoSvc
      4⤵
      PID:23684
  - - C:\Windows\System32\sc.exe
      sc query UsoSvc
      4⤵
      Launches sc.exe
      PID:9328
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DependOnService
      4⤵
      Modifies registry key
      PID:23696
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Description
      4⤵
      Modifies registry key
      PID:9304
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v DisplayName
      4⤵
      Modifies registry key
      PID:9296
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ErrorControl
      4⤵
      Modifies registry key
      PID:23716
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ImagePath
      4⤵
      Modifies registry key
      PID:9276
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v ObjectName
      4⤵
      PID:9264
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Start
      4⤵
      PID:9252
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /v Type
      4⤵
      PID:23732
  - - C:\Windows\System32\sc.exe
      sc start CryptSvc
      4⤵
      Launches sc.exe
      PID:23736
  - - C:\Windows\System32\sc.exe
      sc query CryptSvc
      4⤵
      Launches sc.exe
      PID:5424
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DependOnService
      4⤵
      Modifies registry key
      PID:8204
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Description
      4⤵
      Modifies registry key
      PID:9208
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v DisplayName
      4⤵
      PID:9200
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ErrorControl
      4⤵
      PID:9180
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ImagePath
      4⤵
      Modifies registry key
      PID:23756
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v ObjectName
      4⤵
      PID:9160
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Start
      4⤵
      PID:9148
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc /v Type
      4⤵
      Modifies registry key
      PID:9136
  - - C:\Windows\System32\sc.exe
      sc start BITS
      4⤵
      Launches sc.exe
      PID:9124
  - - C:\Windows\System32\sc.exe
      sc query BITS
      4⤵
      Launches sc.exe
      PID:9100
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DependOnService
      4⤵
      Modifies registry key
      PID:9080
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Description
      4⤵
      Modifies registry key
      PID:9040
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v DisplayName
      4⤵
      Modifies registry key
      PID:9016
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ErrorControl
      4⤵
      Modifies registry key
      PID:9000
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ImagePath
      4⤵
      PID:8988
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v ObjectName
      4⤵
      Modifies registry key
      PID:8976
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start
      4⤵
      Modifies registry key
      PID:23812
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Type
      4⤵
      PID:23816
  - - C:\Windows\System32\sc.exe
      sc start TrustedInstaller
      4⤵
      Launches sc.exe
      PID:27144
  - - C:\Windows\System32\sc.exe
      sc query TrustedInstaller
      4⤵
      PID:27196
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DependOnService
      4⤵
      Modifies registry key
      PID:27236
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Description
      4⤵
      PID:8944
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v DisplayName
      4⤵
      PID:23824
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ErrorControl
      4⤵
      Modifies registry key
      PID:8924
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ImagePath
      4⤵
      Modifies registry key
      PID:8912
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Type
      4⤵
      Modifies registry key
      PID:8880
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v Start
      4⤵
      PID:8888
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller /v ObjectName
      4⤵
      Modifies registry key
      PID:8900
  - - C:\Windows\System32\sc.exe
      sc start wuauserv
      4⤵
      Launches sc.exe
      PID:23852
  - - C:\Windows\System32\sc.exe
      sc query wuauserv
      4⤵
      Launches sc.exe
      PID:7676
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DependOnService
      4⤵
      Modifies registry key
      PID:7692
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Description
      4⤵
      Modifies registry key
      PID:7684
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v DisplayName
      4⤵
      PID:8844
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ErrorControl
      4⤵
      Modifies registry key
      PID:8832
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ImagePath
      4⤵
      PID:23880
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v ObjectName
      4⤵
      PID:8804
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start
      4⤵
      PID:8792
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Type
      4⤵
      PID:8780
  - - C:\Windows\System32\sc.exe
      sc start WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:8764
  - - C:\Windows\System32\sc.exe
      sc query WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:23896
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      PID:8748
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:8736
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:8724
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:8708
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      Launches sc.exe
      PID:8696
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:8680
  - - C:\Windows\System32\sc.exe
      sc start DoSvc
      4⤵
      Launches sc.exe
      PID:8668
  - - C:\Windows\System32\sc.exe
      sc start UsoSvc
      4⤵
      PID:8652
  - - C:\Windows\System32\sc.exe
      sc start CryptSvc
      4⤵
      Launches sc.exe
      PID:8636
  - - C:\Windows\System32\sc.exe
      sc start BITS
      4⤵
      Launches sc.exe
      PID:8616
  - - C:\Windows\System32\sc.exe
      sc start TrustedInstaller
      4⤵
      Launches sc.exe
      PID:23900
  - - C:\Windows\System32\sc.exe
      sc start wuauserv
      4⤵
      Launches sc.exe
      PID:8596
  - - C:\Windows\System32\sc.exe
      sc start WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:23908
  - - C:\Windows\System32\sc.exe
      sc config DoSvc start= delayed-auto
      4⤵
      Launches sc.exe
      PID:8580
  - - C:\Windows\System32\sc.exe
      sc config UsoSvc start= delayed-auto
      4⤵
      Launches sc.exe
      PID:8568
  - - C:\Windows\System32\sc.exe
      sc config wuauserv start= demand
      4⤵
      Launches sc.exe
      PID:23916
  - - C:\Windows\System32\sc.exe
      sc query ClipSVC
      4⤵
      Launches sc.exe
      PID:23928
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:8544
  - - C:\Windows\System32\sc.exe
      sc start ClipSVC
      4⤵
      Launches sc.exe
      PID:23932
  - - C:\Windows\System32\sc.exe
      sc query wlidsvc
      4⤵
      PID:8516
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:23940
  - - C:\Windows\System32\sc.exe
      sc start wlidsvc
      4⤵
      Launches sc.exe
      PID:8492
  - - C:\Windows\System32\sc.exe
      sc query sppsvc
      4⤵
      Launches sc.exe
      PID:8480
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:8472
  - - C:\Windows\System32\sc.exe
      sc start sppsvc
      4⤵
      Launches sc.exe
      PID:8452
  - - C:\Windows\System32\sc.exe
      sc query KeyIso
      4⤵
      Launches sc.exe
      PID:8436
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:8428
  - - C:\Windows\System32\sc.exe
      sc start KeyIso
      4⤵
      Launches sc.exe
      PID:8404
  - - C:\Windows\System32\sc.exe
      sc query LicenseManager
      4⤵
      PID:8388
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:8384
  - - C:\Windows\System32\sc.exe
      sc start LicenseManager
      4⤵
      PID:8368
  - - C:\Windows\System32\sc.exe
      sc query Winmgmt
      4⤵
      Launches sc.exe
      PID:10796
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:8356
  - - C:\Windows\System32\sc.exe
      sc start Winmgmt
      4⤵
      Launches sc.exe
      PID:23952
  - - C:\Windows\System32\sc.exe
      sc query DoSvc
      4⤵
      Launches sc.exe
      PID:8328
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:23960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Start-Service DoSvc
      4⤵
      PID:8304
  - - C:\Windows\System32\sc.exe
      sc query DoSvc
      4⤵
      Launches sc.exe
      PID:8112
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:8104
  - - C:\Windows\System32\sc.exe
      sc start DoSvc
      4⤵
      Launches sc.exe
      PID:8084
  - - C:\Windows\System32\sc.exe
      sc query UsoSvc
      4⤵
      Launches sc.exe
      PID:8076
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:24024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Start-Service UsoSvc
      4⤵
      PID:8060
  - - C:\Windows\System32\sc.exe
      sc query UsoSvc
      4⤵
      PID:7936
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:7924
  - - C:\Windows\System32\sc.exe
      sc start UsoSvc
      4⤵
      Launches sc.exe
      PID:7892
  - - C:\Windows\System32\sc.exe
      sc query CryptSvc
      4⤵
      PID:7880
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:7876
  - - C:\Windows\System32\sc.exe
      sc start CryptSvc
      4⤵
      PID:7852
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:7824
  - - C:\Windows\System32\sc.exe
      sc query BITS
      4⤵
      Launches sc.exe
      PID:7832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Start-Service BITS
      4⤵
      PID:7800
  - - C:\Windows\System32\sc.exe
      sc query BITS
      4⤵
      Launches sc.exe
      PID:11576
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:11584
  - - C:\Windows\System32\sc.exe
      sc start BITS
      4⤵
      Launches sc.exe
      PID:11604
  - - C:\Windows\System32\sc.exe
      sc query TrustedInstaller
      4⤵
      Launches sc.exe
      PID:11620
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:11632
  - - C:\Windows\System32\sc.exe
      sc start TrustedInstaller
      4⤵
      Launches sc.exe
      PID:11652
  - - C:\Windows\System32\sc.exe
      sc query wuauserv
      4⤵
      Launches sc.exe
      PID:11668
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:11664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Start-Service wuauserv
      4⤵
      PID:11696
  - - C:\Windows\System32\sc.exe
      sc query wuauserv
      4⤵
      Launches sc.exe
      PID:12112
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:12120
  - - C:\Windows\System32\sc.exe
      sc start wuauserv
      4⤵
      PID:12180
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:12208
  - - C:\Windows\System32\sc.exe
      sc query WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:12188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Start-Service WaaSMedicSvc
      4⤵
      PID:12224
  - - C:\Windows\System32\sc.exe
      sc query WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:12352
  - - C:\Windows\System32\find.exe
      find /i "RUNNING"
      4⤵
      PID:12368
  - - C:\Windows\System32\sc.exe
      sc start WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:12404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo WaaSMedicSvc-1060 "
      4⤵
      PID:12408
  - - C:\Windows\System32\findstr.exe
      findstr /i "ClipSVC-1058 sppsvc-1058"
      4⤵
      PID:12432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
      4⤵
      PID:12456
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State" /v ImageState
        5⤵
        
        PID:11764
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinPE" /v InstRoot
      4⤵
      PID:12484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1]);" 2>nul
      4⤵
      PID:12500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\Downloads\MAS_AIO.cmd') -split ':wpatest\:.*';iex ($f[1]);"
        5⤵
        
        PID:12516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "7" "
      4⤵
      PID:12896
  - - C:\Windows\System32\find.exe
      find /i "Error Found"
      4⤵
      PID:12904
  - - C:\Windows\System32\Dism.exe
      DISM /English /Online /Get-CurrentEdition
      4⤵
      Drops file in Windows directory
      PID:12936
    - - C:\Users\Admin\AppData\Local\Temp\0295EB20-F5CF-4CF3-8300-56ADA7E0CD9E\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\0295EB20-F5CF-4CF3-8300-56ADA7E0CD9E\dismhost.exe {6712EB9D-3ED4-4A7A-B2FC-30B1608CDA30}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:14648
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:14504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID 2>nul
      4⤵
      PID:14496
  - - C:\Windows\System32\cscript.exe
      cscript //nologo C:\Windows\system32\slmgr.vbs /dlv
      4⤵
      PID:12380
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:14428
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path Win32_ComputerSystem get CreationClassName /value
      4⤵
      PID:14408
  - - C:\Windows\System32\find.exe
      find /i "computersystem"
      4⤵
      PID:14392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "0" "
      4⤵
      PID:14356
  - - C:\Windows\System32\findstr.exe
      findstr /i "0x800410 0x800440"
      4⤵
      PID:14344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm" 2>nul
      4⤵
      PID:14252
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "SkipRearm"
        5⤵
        
        PID:24124
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ClipSVC\Volatile\PersistedSystemState"
      4⤵
      PID:14268
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\PersistedTSReArmed"
      4⤵
      PID:14284
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\Plugins\Objects\msft:rm/algorithm/hwid/4.0" /f ba02fed39662 /d
      4⤵
      PID:14156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore 2>nul
      4⤵
      PID:14144
    - - C:\Windows\System32\reg.exe
        
        reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v TokenStore
        5⤵
        
        PID:14128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE" 2>nul
      4⤵
      PID:14124
    - - C:\Windows\System32\wbem\WMIC.exe
        
        wmic path SoftwareLicensingProduct where (ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f') get ID /VALUE
        5⤵
        
        PID:14092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = Get-Acl '"C:\Windows\System32\spp\store\2.0"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
      4⤵
      PID:14060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = Get-Acl '"HKLM:\SYSTEM\WPA"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
      4⤵
      PID:13944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$acl = Get-Acl '"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform"'; if ($acl.Access.Where{ $_.IdentityReference -eq 'NT SERVICE\sppsvc' -and $_.AccessControlType -eq 'Deny' -or $acl.Access.IdentityReference -notcontains 'NT SERVICE\sppsvc'}) {Exit 2}"
      4⤵
      PID:13816
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v SettingsPageVisibility
      4⤵
      Modifies registry key
      PID:13668
  - - C:\Windows\System32\find.exe
      find /i "windowsupdate"
      4⤵
      PID:13660
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdateSysprepInProgress
      4⤵
      PID:13632
  - - C:\Windows\System32\reg.exe
      reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /s
      4⤵
      Modifies registry key
      PID:13616
  - - C:\Windows\System32\findstr.exe
      findstr /i "NoAutoUpdate DisableWindowsUpdateAccess"
      4⤵
      PID:13608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo: WaaSMedicSvc-1060 "
      4⤵
      PID:13588
  - - C:\Windows\System32\find.exe
      find /i "wuauserv"
      4⤵
      PID:13576
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v DisableStoreApps
      4⤵
      PID:13556
  - - C:\Windows\System32\find.exe
      find /i "0x1"
      4⤵
      PID:12668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "040fa323-92b1-4baf-97a2-5b67feaefddb 0724cb7d-3437-4cb7-93cb-830375d0079d 0ad2ac98-7bb9-4201-8d92-312299201369 1a9a717a-cf13-4ba5-83c3-0fe25fa868d5 221a02da-e2a1-4b75-864c-0a4410a33fdf 291ece0e-9c38-40ca-a9e1-32cc7ec19507 2936d1d2-913a-4542-b54e-ce5a602a2a38 2c293c26-a45a-4a2a-a350-c69a67097529 2de67392-b7a7-462a-b1ca-108dd189f588 2ffd8952-423e-4903-b993-72a1aa44cf82 30a42c86-b7a0-4a34-8c90-ff177cb2acb7 345a5db0-d94f-4e3b-a0c0-7c42f7bc3ebf 3502365a-f88a-4ba4-822a-5769d3073b65 377333b1-8b5d-48d6-9679-1225c872d37c 3df374ef-d444-4494-a5a1-4b0d9fd0e203 3f1afc82-f8ac-4f6c-8005-1d233e606eee 49cd895b-53b2-4dc4-a5f7-b18aa019ad37 4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c 4f3da0d2-271d-4508-ae81-626b60809a38 5d78c4e9-aeb3-4b40-8ac2-6a6005e0ad6d 60b3ec1b-9545-4921-821f-311b129dd6f6 613d217f-7f13-4268-9907-1662339531cd 62f0c100-9c53-4e02-b886-a3528ddfe7f6 6365275e-368d-46ca-a0ef-fc0404119333 721f9237-9341-4453-a661-09e8baa6cca5 73111121-5638-40f6-bc11-f1d7b0d64300 7a802526-4c94-4bd1-ba14-835a1aca2120 7cb546c0-c7d5-44d8-9a5c-69ecdd782b69 82bbc092-bc50-4e16-8e18-b74fc486aec3 8ab9bdd1-1f67-4997-82d9-8878520837d9 8b351c9c-f398-4515-9900-09df49427262 90da7373-1c51-430b-bf26-c97e9c5cdc31 92fb8726-92a8-4ffc-94ce-f82e07444653 95dca82f-385d-4d39-b85b-5c73fa285d6f a48938aa-62fa-4966-9d44-9f04da3f72f2 b0773a15-df3a-4312-9ad2-83d69648e356 b4bfe195-541e-4e64-ad23-6177f19e395e b68e61d2-68ca-4757-be45-0cc2f3e68eee bd3762d7-270d-4760-8fb3-d829ca45278a c86d5194-4840-4dae-9c1c-0301003a5ab0 ca7df2e3-5ea0-47b8-9ac1-b1be4d8edd69 d552befb-48cc-4327-8f39-47d2d94f987c d6eadb3b-5ca8-4a6b-986e-35b550756111 df96023b-dcd9-4be2-afa0-c6c871159ebe e0c42288-980c-4788-a014-c080d2e1926e e4db50ea-bda1-4566-b047-0ca50abc6f07 e558417a-5123-4f6f-91e7-385c1c7ca9d4 e7a950a2-e548-4f10-bf16-02ec848e0643 eb6d346f-1c60-4643-b960-40ec31596c45 ec868e65-fadf-4759-b23e-93fe37f2cc29 ef51e000-2659-4f25-8345-3de70a9cf4c4 f7af7d09-40e4-419c-a49b-eae366689ebd fa755fe6-6739-40b9-8d84-6d0ea3b6d1ab fe74f55b-0338-41d6-b267-4a201abe7285 " "
      4⤵
      PID:13532
  - - C:\Windows\System32\find.exe
      find /i "4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c"
      4⤵
      PID:13520
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call InstallProductKey ProductKey="VK7JG-NPHTM-C97JM-9MPGT-3V66T"
      4⤵
      PID:13504
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:13484
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingService where __CLASS='SoftwareLicensingService' call RefreshLicenseStatus
      4⤵
      PID:13452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Name 2>nul
      4⤵
      PID:13424
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Name
        5⤵
        
        PID:13396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKCU\Control Panel\International\Geo" /v Nation 2>nul
      4⤵
      PID:13384
    - - C:\Windows\System32\reg.exe
        
        reg query "HKCU\Control Panel\International\Geo" /v Nation
        5⤵
        
        PID:13376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
      4⤵
      PID:13360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe [convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("""OSMajorVersion=5;OSMinorVersion=1;OSPlatformId=2;PP=0;Pfn=Microsoft.Windows.48.X19-98841_8wekyb3d8bbwe;PKeyIID=465145217131314304264339481117862266242033457260311819664735280;$([char]0)"""))
        5⤵
        
        PID:2272
  - - C:\Windows\System32\find.exe
      find "AAAA"
      4⤵
      PID:14784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "TwBTAE0AYQBqAG8AcgBWAGUAcgBzAGkAbwBuAD0ANQA7AE8AUwBNAGkAbgBvAHIAVgBlAHIAcwBpAG8AbgA9ADEAOwBPAFMAUABsAGEAdABmAG8AcgBtAEkAZAA9ADIAOwBQAFAAPQAwADsAUABmAG4APQBNAGkAYwByAG8AcwBvAGYAdAAuAFcAaQBuAGQAbwB3AHMALgA0ADgALgBYADEAOQAtADkAOAA4ADQAMQBfADgAdwBlAGsAeQBiADMAZAA4AGIAYgB3AGUAOwBQAEsAZQB5AEkASQBEAD0ANAA2ADUAMQA0ADUAMgAxADcAMQAzADEAMwAxADQAMwAwADQAMgA2ADQAMwAzADkANAA4ADEAMQAxADcAOAA2ADIAMgA2ADYAMgA0ADIAMAAzADMANAA1ADcAMgA2ADAAMwAxADEAOAAxADkANgA2ADQANwAzADUAMgA4ADAAOwAAAA==" "
      4⤵
      PID:14696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Restart-Service ClipSVC
      4⤵
      PID:14904
  - - C:\Windows\System32\ClipUp.exe
      clipup -v -o
      4⤵
      PID:15536
    - - C:\Windows\System32\clipup.exe
        
        clipup -v -o -ppl C:\Users\Admin\AppData\Local\Temp\tem4921.tmp
        5⤵
        Checks SCSI registry key(s)
        
        PID:15560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')"
      4⤵
      PID:15656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1); $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule(2, $False); $TypeBuilder = $ModuleBuilder.DefineType(0); $meth = $TypeBuilder.DefinePInvokeMethod('BrandingFormatString', 'winbrand.dll', 'Public, Static', 1, [String], @([String]), 1, 3); $meth.SetImplementationFlags(128); $TypeBuilder.CreateType()::BrandingFormatString('%WINDOWS_LONG%')
        5⤵
        
        PID:15668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo "Windows 11 Pro" "
      4⤵
      PID:15804
  - - C:\Windows\System32\find.exe
      find /i "Windows"
      4⤵
      PID:15800
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey<>null" call Activate
      4⤵
      PID:15836
  - - C:\Windows\System32\cmd.exe
      cmd /c exit /b 0
      4⤵
      PID:15872
  - - C:\Windows\System32\wbem\WMIC.exe
      wmic path SoftwareLicensingProduct where (LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL) get Name /value
      4⤵
      PID:15896
  - - C:\Windows\System32\findstr.exe
      findstr /i "Windows"
      4⤵
      PID:15904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.0.1810693095\1215898335" -parentBuildID 20221007134813 -prefsHandle 1780 -prefMapHandle 1768 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c09af7b-9546-4712-a777-e827fa6e4bdc} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 1872 1ac4a3f9e58 gpu
    3⤵
    PID:288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.1.983639191\771229735" -parentBuildID 20221007134813 -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f775d96-1dcc-4a0f-a615-0fd99524bf22} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 2248 1ac3e272258 socket
    3⤵
    - Checks processor information in registry
    PID:3148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.2.336333834\1116911462" -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2764 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f26d655-025a-4e49-9d36-fe7ca2b3ac02} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 3012 1ac4f59c058 tab
    3⤵
    PID:1192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.3.2114686216\310098266" -childID 2 -isForBrowser -prefsHandle 3336 -prefMapHandle 3472 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b605700-1a9b-48a9-81fe-25af14a24e33} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 3568 1ac4fb7a858 tab
    3⤵
    PID:244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.4.916963935\1522395730" -childID 3 -isForBrowser -prefsHandle 4448 -prefMapHandle 4444 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe2c5b1b-c447-477d-9906-78e767158893} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 4412 1ac51418158 tab
    3⤵
    PID:1520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.6.448426197\1087571931" -childID 5 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81a6cd45-aecd-4845-8ab0-2aa7362d5c71} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5216 1ac519e1758 tab
    3⤵
    PID:3444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.5.153465623\1111683714" -childID 4 -isForBrowser -prefsHandle 5068 -prefMapHandle 5100 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f506906d-8060-49e8-92f1-2b4fe3338519} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5080 1ac517edf58 tab
    3⤵
    PID:780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.7.1393068835\326051240" -childID 6 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54a3646a-57fc-4995-ba63-85cfcad608fa} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5468 1ac519e3558 tab
    3⤵
    PID:1036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.8.854915928\1182370924" -childID 7 -isForBrowser -prefsHandle 5892 -prefMapHandle 5856 -prefsLen 26458 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09036dee-7030-48c7-8926-acbfafd90c1d} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5904 1ac53967a58 tab
    3⤵
    PID:2592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.9.1845438457\1285714904" -childID 8 -isForBrowser -prefsHandle 1532 -prefMapHandle 4552 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35f40f6c-1023-45a7-80eb-b044d7c9b436} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5192 1ac51e06258 tab
    3⤵
    PID:1876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.11.581418145\301632260" -childID 10 -isForBrowser -prefsHandle 5464 -prefMapHandle 5068 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1edb368-8d85-4026-90aa-61789e76e0ef} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5400 1ac541a6458 tab
    3⤵
    PID:1860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.10.1816196349\1911313881" -childID 9 -isForBrowser -prefsHandle 5272 -prefMapHandle 5256 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d15b0eb1-77bd-422d-9f0b-92f610dd9c66} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5248 1ac541a7c58 tab
    3⤵
    PID:4956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.12.1894116532\1568984849" -childID 11 -isForBrowser -prefsHandle 9716 -prefMapHandle 5988 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20886787-082c-455d-9e0a-13cc8ed79b7c} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 9780 1ac54dc3258 tab
    3⤵
    PID:5428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.13.547285332\300845578" -childID 12 -isForBrowser -prefsHandle 9944 -prefMapHandle 5948 -prefsLen 26723 -prefMapSize 233444 -jsInitHandle 1344 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42ecb332-e645-4c92-8546-a4f6e52930f7} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5836 1ac54e84c58 tab
    3⤵
    PID:5468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.14.30605443\710513317" -parentBuildID 20221007134813 -prefsHandle 9508 -prefMapHandle 10056 -prefsLen 26723 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d406ea53-b626-4719-ba8a-fdf5c8b48881} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 10088 1ac54e84058 rdd
    3⤵
    PID:5856
- - C:\Users\Admin\Downloads\SteamSetup.exe
    "C:\Users\Admin\Downloads\SteamSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4680
  - - C:\Program Files (x86)\Steam\bin\steamservice.exe
      "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4456

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
PID:4624
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1512
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=1512" "-buildid=1705108172" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --enable-media-stream --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--disable-features=SameSiteByDefaultCookies" "--enable-blink-features=ResizeObserver,Worklet,AudioWorklet" "--disable-blink-features=Badging"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    PID:26924
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1705108172 --initial-client-data=0x35c,0x360,0x364,0x338,0x368,0x7ffd75fef070,0x7ffd75fef080,0x7ffd75fef090
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:10768
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --field-trial-handle=1644,15099074962584128920,14176886889436262712,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=0 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1652 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:12140
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,15099074962584128920,14176886889436262712,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --lang=en-US --service-sandbox-type=network --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --lang=en-US --buildid=1705108172 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1764 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:27244
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --field-trial-handle=1644,15099074962584128920,14176886889436262712,131072 --enable-features=CastMediaRouteProvider --disable-features=SameSiteByDefaultCookies --enable-blink-features=ResizeObserver,Worklet,AudioWorklet --disable-blink-features=Badging --lang=en-US --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --product-version="Valve Steam Client" --buildid=1705108172 --steamid=0 --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2468 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3760
- - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
    .\bin\gldriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:27492
- - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
    .\bin\gldriverquery.exe
    3⤵
    - Executes dropped EXE
    PID:2280
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
    .\bin\vulkandriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:4708
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
    .\bin\vulkandriverquery.exe
    3⤵
    - Executes dropped EXE
    PID:6084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:27084

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004D4
1⤵
PID:27384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\WatchOpen.bat" "
1⤵
PID:16636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\WatchOpen.bat" "
1⤵
PID:16888

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WatchOpen.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:17360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:17760
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:17800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17800.0.1306441465\865666334" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1600 -prefsLen 21136 -prefMapSize 233583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21c2407c-d439-49e0-b21a-db46c8975c6d} 17800 "\\.\pipe\gecko-crash-server-pipe.17800" 1752 2267f0fc658 gpu
    3⤵
    PID:18212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17800.1.273867453\479549454" -parentBuildID 20221007134813 -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 21136 -prefMapSize 233583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a2ad19c-b019-4345-8870-8edf31e228e2} 17800 "\\.\pipe\gecko-crash-server-pipe.17800" 2096 2267ed41758 socket
    3⤵
    - Checks processor information in registry
    PID:18540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17800.2.494531257\1669539890" -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 3048 -prefsLen 21597 -prefMapSize 233583 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ece72336-a137-474d-b03e-258bd1c93651} 17800 "\\.\pipe\gecko-crash-server-pipe.17800" 2864 2267f15e158 tab
    3⤵
    PID:19452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17800.4.81830382\1917550294" -childID 3 -isForBrowser -prefsHandle 3340 -prefMapHandle 3732 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24abb505-9c6b-49b3-bb96-1a8ed30826e4} 17800 "\\.\pipe\gecko-crash-server-pipe.17800" 3760 2260d25d958 tab
    3⤵
    PID:3988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17800.3.2083468663\356731191" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 26775 -prefMapSize 233583 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d792fcce-07aa-4630-a1e6-b34b1c3e42af} 17800 "\\.\pipe\gecko-crash-server-pipe.17800" 3504 2260c965858 tab
    3⤵
    PID:3900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17800.5.1220990749\1536364884" -childID 4 -isForBrowser -prefsHandle 5064 -prefMapHandle 4972 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92b69d4c-60b9-4794-8e89-4799b8bf1007} 17800 "\\.\pipe\gecko-crash-server-pipe.17800" 4528 2260e17de58 tab
    3⤵
    PID:20188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17800.7.1096117082\1599878911" -childID 6 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba95f29a-364d-427f-94c4-746d122b56d8} 17800 "\\.\pipe\gecko-crash-server-pipe.17800" 5404 2260e3f9658 tab
    3⤵
    PID:2900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17800.6.2120031343\2112339552" -childID 5 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d29abfd-3d5c-43cb-9ca6-e5ef0f20509b} 17800 "\\.\pipe\gecko-crash-server-pipe.17800" 5212 2260e3f9358 tab
    3⤵
    PID:5876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17800.8.2140045401\1875229217" -childID 7 -isForBrowser -prefsHandle 4972 -prefMapHandle 5064 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1404 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66a24273-b2fa-427d-b204-32233204946b} 17800 "\\.\pipe\gecko-crash-server-pipe.17800" 5804 226102f3558 tab
    3⤵
    PID:10852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\WatchOpen.bat" "
1⤵
PID:12816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\WatchOpen.bat"
1⤵
PID:14188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:14800
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:14840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14840.0.1801247056\104088539" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1660 -prefsLen 21136 -prefMapSize 233583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9117d698-14e0-43d8-b339-ee7b57d99221} 14840 "\\.\pipe\gecko-crash-server-pipe.14840" 1748 2a6344fc358 gpu
    3⤵
    PID:17796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14840.1.1946226897\1904689310" -parentBuildID 20221007134813 -prefsHandle 2080 -prefMapHandle 2076 -prefsLen 21136 -prefMapSize 233583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d7dce7a-4ad8-439b-950d-71bd7704db7c} 14840 "\\.\pipe\gecko-crash-server-pipe.14840" 2092 2a6285dde58 socket
    3⤵
    - Checks processor information in registry
    PID:18636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14840.2.385857579\581744345" -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 2988 -prefsLen 21532 -prefMapSize 233583 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {572c86cd-afbf-4b96-b3a5-aedbb2868211} 14840 "\\.\pipe\gecko-crash-server-pipe.14840" 2976 2a637fa4b58 tab
    3⤵
    PID:20988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14840.3.1710087932\2030539195" -childID 2 -isForBrowser -prefsHandle 3396 -prefMapHandle 988 -prefsLen 26775 -prefMapSize 233583 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e85377ea-4406-4b38-befa-faa8fe81bf71} 14840 "\\.\pipe\gecko-crash-server-pipe.14840" 3504 2a628562258 tab
    3⤵
    PID:6048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14840.4.190055152\1410755432" -childID 3 -isForBrowser -prefsHandle 4024 -prefMapHandle 4020 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e47ce76b-a31e-4000-98fc-cc953564cf71} 14840 "\\.\pipe\gecko-crash-server-pipe.14840" 4036 2a63aaf0d58 tab
    3⤵
    PID:21112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14840.5.1869697517\1839769783" -childID 4 -isForBrowser -prefsHandle 4992 -prefMapHandle 4984 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91df5013-455f-47c6-800e-5e5c0e78cd1a} 14840 "\\.\pipe\gecko-crash-server-pipe.14840" 5008 2a63bedee58 tab
    3⤵
    PID:21728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14840.6.436323698\1343147712" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c9ab304-794f-4e21-9f51-c6a1481a77d2} 14840 "\\.\pipe\gecko-crash-server-pipe.14840" 5240 2a63c3d1f58 tab
    3⤵
    PID:21848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14840.8.1759705822\1623514005" -childID 7 -isForBrowser -prefsHandle 5560 -prefMapHandle 5564 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df1adb24-08ad-4f62-9da3-3233b8e4b0e5} 14840 "\\.\pipe\gecko-crash-server-pipe.14840" 5552 2a63cbaeb58 tab
    3⤵
    PID:21864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14840.7.2091630457\1543000775" -childID 6 -isForBrowser -prefsHandle 5368 -prefMapHandle 5372 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dd70cc1-c499-4f4a-afa8-a2085fc6c977} 14840 "\\.\pipe\gecko-crash-server-pipe.14840" 5360 2a63cbae258 tab
    3⤵
    PID:21856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14840.9.369519775\420050045" -childID 8 -isForBrowser -prefsHandle 5592 -prefMapHandle 5588 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9eae1f7-114f-4f5d-aaa2-91365b7bde2d} 14840 "\\.\pipe\gecko-crash-server-pipe.14840" 5452 2a63e041e58 tab
    3⤵
    PID:22176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="14840.10.981726482\1707315946" -childID 9 -isForBrowser -prefsHandle 6016 -prefMapHandle 4692 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2ba1f90-4193-41cd-a066-34deed427e8a} 14840 "\\.\pipe\gecko-crash-server-pipe.14840" 6220 2a637f26a58 tab
    3⤵
    PID:2744

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:14600

C:\Windows\System32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v EditionID
1⤵
PID:14476

C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
1⤵
PID:15172
- C:\Windows\system32\Clipup.exe
  "C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\SystemTemp\tem4818.tmp
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:15284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:16100
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:16116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.0.365926138\290585052" -parentBuildID 20221007134813 -prefsHandle 1680 -prefMapHandle 1672 -prefsLen 21136 -prefMapSize 233583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa02e46f-13a6-4e1f-94e5-e84e41e78969} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 1760 219676fba58 gpu
    3⤵
    PID:16240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.1.1574942878\397816312" -parentBuildID 20221007134813 -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 21136 -prefMapSize 233583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e4cedec-d493-44f4-8deb-6292e91d0e71} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 2096 2195b7d7858 socket
    3⤵
    - Checks processor information in registry
    PID:16260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.2.396972117\1567804620" -childID 1 -isForBrowser -prefsHandle 2768 -prefMapHandle 2880 -prefsLen 21597 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90f7eeef-aa9b-4c66-a63b-d0e8288de0a2} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 3064 2196b3a2558 tab
    3⤵
    PID:16904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.3.706025813\427794068" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 26775 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b5cd9a9-f2f8-414e-9ea2-7dd27da5311b} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 3504 2196c504a58 tab
    3⤵
    PID:17096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.4.442334161\2076959183" -childID 3 -isForBrowser -prefsHandle 4564 -prefMapHandle 4560 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97549e6e-3aa1-4e1f-96ae-2f1d22e2ee4b} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 4576 2196db9cf58 tab
    3⤵
    PID:17716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.5.310782547\1520233926" -childID 4 -isForBrowser -prefsHandle 5152 -prefMapHandle 5148 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28960855-db28-45c3-96a7-93b1cc392249} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 5164 2196b865758 tab
    3⤵
    PID:27568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.6.1915711926\1294940321" -childID 5 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f7ddee4-0fbf-4ebf-a72c-1b80c1e67a17} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 5308 2196ddbfa58 tab
    3⤵
    PID:18248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.7.1428197318\249036216" -childID 6 -isForBrowser -prefsHandle 5528 -prefMapHandle 5532 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6eab175-6892-4621-ae8f-7fb8bfc94679} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 5320 2196e3f7958 tab
    3⤵
    PID:27572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.8.670133345\1129212021" -childID 7 -isForBrowser -prefsHandle 5532 -prefMapHandle 5616 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5a0214c-9bba-4810-a0ad-d3a8f5f9cb2c} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 5560 2196ffd8558 tab
    3⤵
    PID:18696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.9.617596474\1590711311" -childID 8 -isForBrowser -prefsHandle 4624 -prefMapHandle 4620 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {398f7b8f-6247-416c-80f5-38cafd1452d6} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 4612 2197117d558 tab
    3⤵
    PID:24300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.11.1978777789\573473548" -childID 10 -isForBrowser -prefsHandle 10016 -prefMapHandle 10012 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c061f731-d639-4df9-8814-9657729c0cec} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 10024 2196f03ed58 tab
    3⤵
    PID:24680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.10.1690927994\833781806" -childID 9 -isForBrowser -prefsHandle 5636 -prefMapHandle 5316 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb7ca6ec-c330-4f19-911c-b17479a1442c} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 5724 2196f03db58 tab
    3⤵
    PID:24672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.12.1002758670\2126104673" -childID 11 -isForBrowser -prefsHandle 5976 -prefMapHandle 5992 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68306c05-d1b7-4a1b-a360-b40c0796de00} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 3024 2196ed57d58 tab
    3⤵
    PID:26452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.13.746214513\1146197287" -childID 12 -isForBrowser -prefsHandle 9976 -prefMapHandle 9968 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4c7cec1-55de-4ea2-9f3b-298ffe60b576} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 9980 2196eef5658 tab
    3⤵
    PID:26460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.15.143475821\17257283" -childID 14 -isForBrowser -prefsHandle 6648 -prefMapHandle 2816 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33c8269a-dd2d-4818-9965-31eab4273e9b} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 6764 2196dde0458 tab
    3⤵
    PID:26972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.14.1771837974\1465031606" -childID 13 -isForBrowser -prefsHandle 4836 -prefMapHandle 3488 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d14cda8b-01b0-49f8-b303-93fa8f444418} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 6032 2196dde1c58 tab
    3⤵
    PID:412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.16.850212981\789170822" -childID 15 -isForBrowser -prefsHandle 6404 -prefMapHandle 6408 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c27c08ab-e903-4b79-98e5-139c961eaf65} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 6548 2196fe7c958 tab
    3⤵
    PID:7160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.17.1437630635\1751430617" -childID 16 -isForBrowser -prefsHandle 6252 -prefMapHandle 6248 -prefsLen 26834 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30ef9416-eda5-4d90-ac66-5235bab0ed1f} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 6260 2196ff49558 tab
    3⤵
    PID:7404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.19.927650738\42502857" -childID 18 -isForBrowser -prefsHandle 5332 -prefMapHandle 2792 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19c51597-5b50-4ad5-ac18-e53ba26b49d3} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 3132 2196ed56b58 tab
    3⤵
    PID:14208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.18.421128043\853911579" -childID 17 -isForBrowser -prefsHandle 5644 -prefMapHandle 6024 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e179f67c-c28e-434e-928b-abdafab7cea4} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 5948 2196ed1bb58 tab
    3⤵
    PID:5260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.20.741840888\947151617" -childID 19 -isForBrowser -prefsHandle 6020 -prefMapHandle 3092 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d68f512f-0a5a-4f3f-8635-d604a39b7931} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 5648 2196fb8fc58 tab
    3⤵
    PID:15472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.21.1214145769\1459269719" -childID 20 -isForBrowser -prefsHandle 4892 -prefMapHandle 4720 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eeafeaf-d24d-4032-b038-57273b86d2cc} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 4572 21970efa558 tab
    3⤵
    PID:20360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="16116.22.1097768644\871047239" -childID 21 -isForBrowser -prefsHandle 2296 -prefMapHandle 2740 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5771a58-4370-4d93-aedf-509734a104d0} 16116 "\\.\pipe\gecko-crash-server-pipe.16116" 2668 21970ef9658 tab
    3⤵
    PID:20376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:10468
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:10088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.0.1336678106\177444444" -parentBuildID 20221007134813 -prefsHandle 1668 -prefMapHandle 1660 -prefsLen 21145 -prefMapSize 233583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {882d9a0b-cb72-488b-8d15-0e9ff227c382} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 1644 2982b5fcc58 gpu
    3⤵
    PID:20340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.1.1030395648\1061344573" -parentBuildID 20221007134813 -prefsHandle 2084 -prefMapHandle 2072 -prefsLen 21145 -prefMapSize 233583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6436e5eb-fd23-4740-9492-b3e138e760c5} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 2096 2982b6e4558 socket
    3⤵
    - Checks processor information in registry
    PID:19636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.2.672020604\835355669" -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 2972 -prefsLen 21606 -prefMapSize 233583 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc7500a8-03bc-4075-9724-3c95b76f3cdb} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 3020 2982f324d58 tab
    3⤵
    PID:11860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.3.1484578270\1988338922" -childID 2 -isForBrowser -prefsHandle 3716 -prefMapHandle 3712 -prefsLen 26784 -prefMapSize 233583 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01a1ac6c-e061-4b54-aaac-d242d9fe974d} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 3728 298303c4258 tab
    3⤵
    PID:18176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.4.2015373282\180238920" -childID 3 -isForBrowser -prefsHandle 4712 -prefMapHandle 4708 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58312519-c91e-49f4-b6b4-5de1ef0c7b92} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 4724 2983093a358 tab
    3⤵
    PID:12560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.5.1972826881\822502014" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 5104 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdb03e7f-2be3-4542-8a08-92769d0f5f4a} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 5128 2983093b258 tab
    3⤵
    PID:5288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.7.1121223598\723216881" -childID 6 -isForBrowser -prefsHandle 5456 -prefMapHandle 5460 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c349492-bc63-422f-8195-1f48c626b760} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 5448 29832c62b58 tab
    3⤵
    PID:2596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.6.50839707\1499834915" -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bfce4fb-254d-4bfb-a23e-a13d030ac12d} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 5256 2983204ac58 tab
    3⤵
    PID:3408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.8.969930210\364815725" -childID 7 -isForBrowser -prefsHandle 5832 -prefMapHandle 5744 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8034bfda-4912-40dc-8d5c-c8e99d24066d} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 5844 2983404b658 tab
    3⤵
    PID:1860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.9.597827938\969900565" -childID 8 -isForBrowser -prefsHandle 4856 -prefMapHandle 4860 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81caf871-151c-43d5-8cba-09f54e1c8079} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 6076 2982df6f958 tab
    3⤵
    PID:1020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.10.1376338896\786103828" -childID 9 -isForBrowser -prefsHandle 5040 -prefMapHandle 4940 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ea22ac6-094e-4926-817b-eac48d3b5374} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 6136 2982df70b58 tab
    3⤵
    PID:22112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.12.1307531460\1137370466" -childID 11 -isForBrowser -prefsHandle 10276 -prefMapHandle 10272 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {765e098a-3d21-4ef7-b312-427f8322af81} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 10284 29834de5258 tab
    3⤵
    PID:5268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="10088.11.1999025409\2090654847" -childID 10 -isForBrowser -prefsHandle 3304 -prefMapHandle 3308 -prefsLen 26843 -prefMapSize 233583 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dc46525-6957-4c6b-ad95-573c10cc021b} 10088 "\\.\pipe\gecko-crash-server-pipe.10088" 3296 29834de4358 tab
    3⤵
    PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.1MB

MD5
b4411620a3551834e4f699cc5a9b27e6

SHA1
5093960cc86613e310d13770b5adef00fe93f3eb

SHA256
3caf4a246169b2d30c6bf18fa0b7a4a01bbe933cfb781f3da4c6b3cb67b59d04

SHA512
47dde07212c2d5eea548d7794fc6bb9d86ced9a0848aaeab81fa8844fc5cab7eac58e386e96a81c663b914c85c0a7116033e2b2cfd18559d40aa6c83f9a6c024

Download Submit
C:\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.7MB

MD5
2de3f7cf6020b3bb6bc4199459a63016

SHA1
8a30e5e333a353eb069ab961a4c1918fcbb44623

SHA256
f649f4a1d41cd442d5e3f079b1677442a2123eb494bda58ef866870b25915d7e

SHA512
5d1e016c731dd1bfaaf24fde9da4f453f71773a71db956290809eb82064fa0307874cd412be6ad98c4fdbb36e94cd8ae7aa27341aaa1f9f3f9e696afe0cca56e

Download Submit
C:\Program Files (x86)\Steam\bin\audio.dll

Filesize
178KB

MD5
65a946210b9b62d36bbfc0eea49e7925

SHA1
7dbbee4062ef5dc987c53a529486b68da6ef7b54

SHA256
c7f60c6e0e54a57ae5b3da313dbf684ae8d0821c9e30947ab490ab44897a26d1

SHA512
45a3d7740f0256a401107dc871d09d0bc4ec3a89a18809dc3f42669890924be2f77869c99338e706b69dd5e088d27cf58fe3eac041db1c769b55cc9a4e7680c1

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-console-l1-1-0.dll

Filesize
23KB

MD5
5687e338a8b1864c970ee403619207a7

SHA1
8d1fc0db262b16f453aacd6f04e401b43f2e9a7f

SHA256
57b87f09e8b98647d897f865cf2924c661d25d5e833a1c32b9e131055e910635

SHA512
12a3afe2e38450635ba13b5c1f74a8a1daef1ac2dc56fd4c3e75cbd545c6739951c347f87756ee432788fc7e1e748177afd2ffe4821439b84ae52ce3246c8f8e

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-console-l1-2-0.dll

Filesize
23KB

MD5
469fd67e2c9c04d0dc5a7851a6f79407

SHA1
e4556cad36804e4258b5822b87446ce7bc2d4c8c

SHA256
5a64723bf2b20c3b2115c15b3aa1cbc0aa2f83447ea222e7a19e9f988ccc3017

SHA512
458958b64bd9e52ae84628cfc9aa346994270ae75ee8307c33836a145594a278cde5626890576b03f3d5f384c966fed8f27dc07b117fbb43987e6e1544ba5a6e

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-datetime-l1-1-0.dll

Filesize
23KB

MD5
b290ff37e5b7066ebccd32c58ab251ba

SHA1
3d4cd4dfbec4ca7b8a10eac1a26248e4240df602

SHA256
1bb364ffe1f0bceee738da30816918a6f37f6aa70210816bbc2420dbdb006ff8

SHA512
0fb078fba9006f8673e9a69d5a8e6e868c7e593d36a2c4befb81043f35f0d179650f67b1e7988046c214ae163a39021790434ab8fb4ddc1a081a8a702d9f6908

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-debug-l1-1-0.dll

Filesize
23KB

MD5
8a7e67ad6ac149b8f2f91aa1169cb0dc

SHA1
d7d9675b811f4cf80b57d6c71172ca128d0ecb0b

SHA256
8234df20fef3fd0c2891c82c5ff3b54357a9caed98ac63eb9d3d3f52d66516a7

SHA512
840970d68772c4777ad29ff7b9a7869339903f085ef883ff02b0ac2abafd14f65a325b3e6f988c2fcee169e3712512d8718490d5c8f773a66020ed5d066cde8f

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
23KB

MD5
7b2911f10cb4c9339cbfe21b5a533c35

SHA1
032447649731371425bdb1d53b941c67e1288607

SHA256
1794cdf4fb1f7a455a2d19e8474d7e905107e19121c7e777f0e760f232f73b42

SHA512
8123deefc81fc5eb16573e18c9cab938f8fddd645aa7b8b5ac775d6e6b35ea833548b81f1b051464511dfeb8611c06d35ca6973d474e212d2394737629ade6f0

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-fibers-l1-1-0.dll

Filesize
23KB

MD5
c5ea95940f668bdb97a9400897c85169

SHA1
9bd7e47aa4f50205b3e3029125dc4d27d807c292

SHA256
9846d545885bb4f0f315d0fdfc1fa8c38f148bc09be621abd66055b6b3e6842d

SHA512
5fd023863e9102c230130f980fd8cfa761eb97bb75fc13e2b1736946c84ef875023b68e301e7a024218ecf7e01b3c94c1dd946b4a78a723969be5349241c2abe

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-file-l1-1-0.dll

Filesize
27KB

MD5
0af9fe5f79904532caa1b26ed257d2da

SHA1
cb449909e738bf8a3e66d503828e0cb3337f6975

SHA256
e49686170536fb8ff392df5aad983c76ebe46a9d76d1a536855f78b37658571e

SHA512
788f9f29800f0a4c2c8a1b7bd2656cf39964b102ae3332d981545ab13be9d33cf8acf9fa58a0b10b643f48777a1d238bfe280525016b358fecaca8e1086bdc75

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-file-l1-2-0.dll

Filesize
23KB

MD5
788457947fdceacfd6e7905777d989d2

SHA1
6a52a065a6aa905bf6dc8c10c7cebc6e616eb902

SHA256
ddc8356eed890bafe69e435bb63d4aae35a5792192a46ce9489c5da29c37d14f

SHA512
a91f7bd64bb2ffa4dc03921dee43b2d0a5cb69b508df17760cf787f667303e9267d6721670ade4d440a200e2a777963d7ad4377928d6aed1862bc44bea428d1b

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-file-l2-1-0.dll

Filesize
23KB

MD5
21d6f2afc2f534006872b897e5b0a5af

SHA1
0b24bdb543722318550e092a098b57e621b6bae0

SHA256
e0dd6088f58e9661ece1363bfa58e8709383e928e41aebb62a29df52e4bf01a7

SHA512
356b1e8f42d5a184be4c88e83b20580bca6b2cec93c18b3a96117614c8884fdc4fd00e86298a2cb5efcbf9f519e99e7e406cb8444f941e4271a36cc5ee165c2e

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-handle-l1-1-0.dll

Filesize
23KB

MD5
f58a9a0453b933ef66dfdfc8bb1ac8dd

SHA1
fbe88e55f3857496b34565ce8b07eeb95d3cad4d

SHA256
765de83d4c9ff03035e1c615a2e2584bf5f04b548ded431d3a16bd2085c0d35a

SHA512
ad71d9515e11bd050b1ddbe3980ffa74b678d95fb48d57a3070d9a6586e82b246608b177789ee6be6e828813bdd38b07d8fe737195c9166a6a94fc3623ec66cd

Download Submit
C:\Program Files (x86)\Steam\crashhandler.dll

Filesize
367KB

MD5
141f3c56237020ac0745d57ffb0ac2cd

SHA1
6db84c6092ea3ef15a1f2191f5404b3160da3403

SHA256
4e8aaf591c17c25f0b92b9fd460659db5e5d72d76b02d9663a7a72b7c7ed6305

SHA512
0a0851858c39428cf1cd51ba5228674bbe4bddb34859c6c871357844b28d143552ed0158b79e7be7e4e8a9a3a89372838512ef12e03947bb151fe89c916e9345

Download Submit
C:\Program Files (x86)\Steam\logs\bootstrap_log.txt

Filesize
10KB

MD5
eaae69c7c92347feaadf14b901d4d22f

SHA1
e13764ccb14c539df09cf367f87ef152e198940e

SHA256
f7f6808c630e37bda934d4ae22bbc833a91340840200bdaf2dd0950d93f52879

SHA512
113a6adabdc3f4297fda2c898d86b4a3a03d2152caec37fae427f4d658f184ad432ace42895a9d61ace89c2c235b2393d4bab0ab3fb16ad00ff9106f385d9d7f

Download Submit
C:\Program Files (x86)\Steam\package\steam_client_metrics.bin

Filesize
3KB

MD5
78ea9f10e794055ee03bf43f668d50f4

SHA1
03529cfa30c7da2814048fc20674aef27092eefd

SHA256
b1b421610ef2141f66e4f4fc982d590582c5df15979ae416ade1f0ab875be584

SHA512
473cbbd302606d0a34e97dd8e87cf01d709ff293f03dca303887815472d659a6e991272f3101aa56a617a877bd1c18990ec0c76b2586c4e294d1a255aefb297b

Download Submit
C:\Program Files (x86)\Steam\package\steam_client_win32.installed

Filesize
460KB

MD5
382689c496931267b987f038e30a198e

SHA1
0a899ec6dd5c8a740018c0476abbed2af69ad8c2

SHA256
c96d24acdce38954c32d504b0280262a3c2eb40434ef9e171c6c808ac13d02d2

SHA512
b5c77917a60564fe78db3aa6ab00f9b79e374d87f3df078466a73adf51f6b33de9a1ebb38efd2060f9e0c01915f99a8a0646d8c67bd832ec8db4e5030a111475

Download Submit
C:\Program Files (x86)\Steam\package\steam_client_win32.manifest

Filesize
9KB

MD5
3f03cae38ef6847eccf56c954b1ae3eb

SHA1
04b0f891fd471e19d17a6ac3b93c8dc7419a6baa

SHA256
6778287775f2a7c8b9d5c505e53201a7e518000df65ffb45ce2d93ff99c8ed4c

SHA512
ab895e7a2a05272afba514e66a6030fc65391c11ac472f313aa18eb982a29f7a179c70f9834658171375848fafc72306d6051964922705d621f72a1c27b65c4f

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
8ebd46495dd3b4ab05431c5c771d5657

SHA1
e426214322a729faddb5bc80053af5750c76683b

SHA256
70c39d5d5b16640165de19cee80da4a391035108cbc5f5009372a86954f0fe92

SHA512
53afd923f583eda4db580935a8cdd62413af8e830c04f2c12d15c55e905c114ec11a5e4483660601504c27e9350e9e47c6432f8f699464e11c5050fe846d7dc4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
239c03a3dc1c27993da724736d086cef

SHA1
ff88246f8ea3502873dcbdc622378f006c58a2e6

SHA256
b387e2fb971297d3438acca130c53dfdd202ae2ca5b52d6503333734cda4fbfc

SHA512
656922e8f2dec46ef36efba5c85088c47b02e89f62b27559611fcbe6ef85c6cd8462a4532e2d2d7f4faa977ab24f0de6f5f72e3075f8889db9e6e60baa162a32

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
6def4d3cf1453d5fb69d22fca29892a4

SHA1
09fe62653e55668de75a9fc5b64949ea81eb4991

SHA256
60c29f3c57c44c58daf69be797bfede31967b1ddfc9bb68cb7ddaa0acda67c8c

SHA512
ee4f3f5dd8a8aadde9cff8f8aca8a45fa419c36fd8a4a7d3af9b71e1f7e5d9e1d01c329c70e6da53238822b536e35224e55004bf2e1af4ec17d5b56ccfc58549

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
2fe6613e267857982d7df4368c9827ec

SHA1
d520c7427b283e3ff167b850ab15352e46d328d3

SHA256
2eba5f3f0b0dbcc2cd69c36c220a2355d1ba3cd67b6e25b5846c80e1604bcac0

SHA512
cf2fc8978adf54dce5700eda7d8beb4917c89bf5458131171eab95463e1b3a3315770f4baae07e498e8e36a8478f09e27054ca2d06b4542c86d8459360572be4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
594be5b10d9f551e551cf20eae0e6dfc

SHA1
191c20f5cb0c27ecc5a055fa2379694f5e27a610

SHA256
e350ca62e777da4da6d25885be96d48e7ce3acf021a74f2a4902354a1bf03fbb

SHA512
e27bf6593a177c22e16ddf5a44d82b34b02063645a7fd63943b936028d9c433c89628038768a300c296c2d3bcab2ef6b8532a19f7283952d041865c704f62b0b

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
da69785dfbf494002f108dd73020183d

SHA1
34bb6061cdf120e7dced0402e588c3f712cf2dc0

SHA256
8cce22e7f13486f2bc612dcc8fa31d81038e6084a350fa10299d40c3a7f878c8

SHA512
db773783b63ed1d66a59272e05304c174b69f85d2838ae8049dffed6b6b30c2011fd9042dd652f9a1733a2b6891870b426cf1985d41921e5360c9b1ae1330e20

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
395286db3e67a59868e2662c326c541a

SHA1
716014d76622612a1bde2d4e1744d024f6d0b830

SHA256
02e48ee4e10354a2b2741d2e57ef565404753779f847906b5ae5c98ede06c01b

SHA512
64cdf1e6701ea57474051e338eee74859fc0ff4acd71ee0718a9b8cd698e94a9793c1901b6791fc0fc268c53fbc1e7e2f94ac1024f3f8765bf713954c194b0fe

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
b9e30df8cf272813b121133fcf259752

SHA1
16706f982f16d5feb9c808f94b8cfa50c23f5d80

SHA256
88919d7be26fb3e06401fc0254733d92fd743ecc56da4177b41613e1f094c3e8

SHA512
7beb65c0477b02742741a8ce23557f4f15e8cf1b1ef03a6bbadbf594bdf2cd686d7356d93719111d27b309a10ca75846765a13bb3eb4d0411785dfb13a675fc4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt

Filesize
4KB

MD5
d75580775d67a85353189736222a8878

SHA1
ccb2275c8f5d119640064fd533ca15f30d93f331

SHA256
10720923c1048502c5191d6d1d8580e35e707b24d457941dae94a87371af989a

SHA512
757dd94a1e3debb2520855a3d00e44e3a98b5764caf9c16c8d088fc1a1f1024eed742f1051635721f4bf2c00d1dac11fd975c09a7f5df78d1863de88f9bbf9fe

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt

Filesize
4KB

MD5
7913f3f33839e3af9e10455df69866c2

SHA1
15fa957d0a6a2717027f5b35f4dbe5e0ab8ece25

SHA256
05bc1f4973c6d36002ac1b37ce46b1f941fcb4338282e0ec1ec83fb558d1a88c

SHA512
534e541757d19ee157a268bf7ea358b48015f400542fcfa49cdb547cd652926160f015fe2cf026d9c4996e56ab90ca3899dfd457997d915bf6bc9d7bb00ba804

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt

Filesize
4KB

MD5
5462f47e56b978659ef56f196db013f4

SHA1
4749824d4e909369f59217d4980963ff17353f3f

SHA256
cbfbe91d4a4661df814ea447c03f4ca872ef3e27073a1eb746faccbfe75afc8a

SHA512
5a437968fc06619cf553ced32dba9c7c948f4364f02c8017986e9a4f09e9832b849c7e0567485ca1beba34a258d29b2612ea3ed6045c81777e9a5201139f81a3

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt

Filesize
4KB

MD5
9b0b0e82f753cc115d87c7199885ad1b

SHA1
5743a4ab58684c1f154f84895d87f000b4e98021

SHA256
0bdeee9fa28d54d384e06ea646fbcfe3f06698a31dfdc1a50703ffe83ad78d32

SHA512
b7780b82fbe705bc8e5a527c011eb685c99ef0b2eb810617b9f82b891341af95ef1c2f46dce9e458c0c4dcc3e7a0d21db6c77f03419cd1c4b521a9b72f9017df

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt

Filesize
4KB

MD5
eb8926608c5933f05a3f0090e551b15d

SHA1
a1012904d440c0e74dad336eac8793ac110f78f8

SHA256
2ed2b0d654d60e0a82b0968a91d568b775144e9d92f2b077b6da75f85ad12d04

SHA512
9113c42c38836f71ff0cc7019aff8c873845f47fbf1ab97e981cb038f4d8495b6df784402b1ee9666e8e567ae866b0284c81e6a16efb47131d5ef88569c4843a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt

Filesize
4KB

MD5
31bd3d4d8de5af4642b21d586d5ee54d

SHA1
552bebb93c71cd8acd72558db1810530909fb276

SHA256
52f256ded29ce22945b5bc0ef7a227189dfa91da69265ec13283a7067c239071

SHA512
cea49fc70b18a1294ec7e564ff7f4d1ff7efeb0db1cf1b088da6adcecc282569380f225e9a150d1666c5c1977ba4de0a5d9d667c72cfb8569a50546b978e9132

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt

Filesize
6KB

MD5
e04ad6c236b6c61fc53e2cb57ced87e8

SHA1
e9d4846b7e6cc755ee14a5d3fa45ee7d3bf425a4

SHA256
08c775efa77c2a92d369f794882e467b6e2526e61bc7aa7724f48e174524502e

SHA512
0dfb7e6d811d649103499018f3d115c542fcaba420ceb69124a4d837fe162ce514e7be2040860c5ef5f9c01c961fa6eea8730606b73ec107d87597989b6fd331

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt

Filesize
4KB

MD5
56dcf7b68f70826262a6ffaffe6b1c49

SHA1
12e4272ba0e4eabc610670cdc6941f942da1eb6a

SHA256
948cad1bb27109e008f2457248880c759d3fa98b92c5b4033b94f455cb8ac43f

SHA512
c3fd9caf0bd4c303a7cc300faada9cfe6dd752e82d67625b31f4c0c2c091596508bb477fe19f758fdf79b25b8ac3f5320a8785d2b6705b9bcc28a054a59454e2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt

Filesize
4KB

MD5
e9b8fccdb78bf9d275b79c75b2ff3e7b

SHA1
4b549411ed4db0f0a3699e76531353c226b06a76

SHA256
41ecfe0ffd6043a66a41bf9ea032712f2d1bbc19b434c6c666a107ee379f21e4

SHA512
4ce905a31f3a410712722271abd7e0a9a6c43646b61a321912b4a8e8f6fab68ab69add1d701c501bb069b8ecb65ecaf3bfa9be983933d0234a8c81c24bc6601f

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt

Filesize
4KB

MD5
b2248784049e1af0c690be2af13a4ef3

SHA1
aec7461fa46b7f6d00ff308aa9d19c39b934c595

SHA256
4bf6b25bf5b18e13b04db6ed2e5ed635eb844fc52baa892f530194d9471f5690

SHA512
f5cee6bba20a4d05473971f7f87a36990e88a44b2855c7655b77f48f223219978d91bcd02d320c7e6c2ec368234e1d0201be85b5626ef4909e047e416e1a066c

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt

Filesize
4KB

MD5
5c7bc92e0d948e3bba3f26f64a22fe7e

SHA1
bd259397a312bee9b8262058c30e0e354eeea93a

SHA256
5e6b0978fe8e2d14905f46e089b06681d6dfe76dd0c1551c168171ac4de75969

SHA512
8a6e18ce3d38a9658172b1871255a9941c572114137e468f130956c73ff13f282a46074a1dda6404dbdbf317ecdaadf01324194b8f8c081f862037784f4946ba

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt

Filesize
7KB

MD5
1a537a1d30fba1d3db449a9207b63835

SHA1
ab6903b4c8d6bd3571960b1218714b8d76b1880d

SHA256
49b6b664d50a1ae0c732bcfbbdd1db1812ddccf00bcf5f40200f0e7cff5542ee

SHA512
1215b0d017a6e3ea207edafe8edd500a91a7a971b2f989d8006fa65e475ae32ec00df3e8ec06b4077f64f5b789c536bfb9d8b9945ca0e0731d68e48876bd8459

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt

Filesize
4KB

MD5
29f9a5ab4adfae371bf980b82de2cb57

SHA1
6f7ef52a09b99868dd7230f513630ffe473eddf8

SHA256
711675edb20b3cb70acf6cf75f2eea8e0d87c8ace3e11c8df362b4517427a34f

SHA512
543fe63f791250e05e8fda24fd2ceadebb4c8925e8927de49ae490895c87eed3e61a9ad50237532649f99fe3165836261de215ee3f66ffbfc6d677ddeea7732a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt

Filesize
6KB

MD5
cadd7a2f359b22580bdd6281ea23744d

SHA1
e82e790a7561d0908aee8e3b1af97823e147f88b

SHA256
3dd0edfbe68236e668fb308f92fe7c6493dbb05bfca85a48de93588f479ccc99

SHA512
53672dd13e6ccbe96f6d4a61297c595b6d6cba8de92caa51ccf8ab1d8a82eea5a425eab348f295b9ec27de0026ef849d9230f751a46e040be8863923f91b8519

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt

Filesize
4KB

MD5
f8a86b74ce3b446e3111d1480b5feaf7

SHA1
af21c55fd6ac99e65db55af9b8f4ffe790c4382c

SHA256
8a049b6126e904dcb9ba5d8af21cc0ab25ca55221cf2cd48eea45504fe23083b

SHA512
70f8009f5940b10b77a6c152c8c73f3dd425fb9ac917014504e8116ef00032888de686271e0262cbe7a55c6e605e837dcfbeb54ece71e49646b1030195fa0845

Download Submit
C:\Program Files (x86)\Steam\steam.exe

Filesize
4.2MB

MD5
802c808569259798e06dcfd4a5e283ae

SHA1
7f8a3c552736f5a6d9eaf9b8d7c36853a80e1dc6

SHA256
617c39e8e5ea59aed52a614cfc71fbe619c2d270e225c303f4a2d70b07d495c3

SHA512
4e606e628da23259a3b5fc24c7519d9510c0a2df934cb6561a90642a593456d5aaa4a01c4a76767ce6625196b1b4c9222522ecaf25eb3b10da4f11dc28e5102c

Download Submit
C:\ProgramData\Microsoft\Windows\ClipSVC\GenuineTicket\GenuineTicket

Filesize
1KB

MD5
67a8abe602fd21c5683962fa75f8c9fd

SHA1
e296942da1d2b56452e05ae7f753cd176d488ea8

SHA256
1d19fed36f7d678ae2b2254a5eef240e6b6b9630e5696d0f9efb8b744c60e411

SHA512
70b0b27a2b89f5f771467ac24e92b6cc927f3fdc10d8cb381528b2e08f2a5a3e8c25183f20233b44b71b54ce910349c279013c6a404a1a95b3cc6b8922ab9fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
aff94200961b4bc1adb5c0b067d5cf26

SHA1
1a87ad3140d589ee74a08bd794844932a9c0c199

SHA256
aafb08eeaac42845f61080ea1d913ad7d52a1c470564b93a4324b056e49a6255

SHA512
8da94a30d85760ef8c69452589051bce961b3151768c9032ef94a4de85eba93d8aa8f8f600d331be23001e1c6adfeb8d82ee5b7f0dc7e3220f47e89888c9ea28

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\1401

Filesize
9KB

MD5
c62b4cf562c77c06afff181384cde2c3

SHA1
f67fae1ce51499f7e224aa412c44e4bc856e1ed8

SHA256
61903159f061a1d2a1581b6cc43682e37f424777f19e6082c77d4577f802abdf

SHA512
2fb4a2e13c3fca8ea296f0530674af693665ab45141ac0cb3ed9514945e216b81e63ccd9a9260c8b077803ccc2dc9534d1a6539e57cb0faf2a5239b8bb2c1d52

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\16296

Filesize
29KB

MD5
b15739de401934ae7449643ed01ca877

SHA1
6780f3a37df9548c4fca1e7e2742dd0dd73e0996

SHA256
17dddfc3dcb9813edae5e5a9d3176115645718b914a9d8b098c75f420109fc43

SHA512
036d5e0f756b8135a1b33448625e5b68af63f1adcf93c02d75311d261d525f527ebae0c49b53c83dfb3d19feca97beace3651f159cff4e2d2a4dad067352b900

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\16610

Filesize
9KB

MD5
98b58158ca00923d56f0834cdaf1106f

SHA1
3a1ee203ce9f788dc4123f43270c0ff0b8820d86

SHA256
44362bbe4c9b313f26b7e39d3e9fb057fd3327aeeffd88f019bc799acc31b534

SHA512
5a9bc954f0100f27fce9844bb62fa7805c9e6df878293cbd1f2ad92187d1a930f2bef727334dfd61d303040b845588c7777459cc52eefa0d954f35f1d5bdb499

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\17709

Filesize
20KB

MD5
94ee083ea436b55a7da95997ea04c1dd

SHA1
46aaa7509b0b6e636bbcddeb094cb8ab5352d77c

SHA256
0a05d850ca6b5e2660f4516af1d2ab28fd8536d24d19c684e651e53fef3439f2

SHA512
bcd494b6158812b014e7f2cbc4672c55734921fb2819db340b8047fc1522907c7e2806e7735c0e518f7e32d0a7f1f90c3713d9c4bc27372b187008fe07ff97f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\19253

Filesize
21KB

MD5
4b89b7ea4b484ead131f4e52088b9840

SHA1
94dec40727b753c8b2a9718b9487838858f058ca

SHA256
93bf11493c072bf650de9672bc58de68b3148e67002a116786986c75c5407b98

SHA512
ae4cbb4662eeae10f873fffa82fb33e5aaffbd2525a51238dc3a7c1355517e700e40545c0b655c8fba7f91bdfbf89f045f90c1d408cfab840abc003339e6d3b4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\24674

Filesize
10KB

MD5
679979837fb90515d9986e1951d560ee

SHA1
f537ebcce42ac0a2b2d1b07f56d2ea855b6e04f3

SHA256
6b05dbd488557819cafa86a0f632c0dfd3ef2a9f9b89d6dbb70a5a20a9143cf8

SHA512
ac2032024b747cc024623b2331bd68f541fecb12c3280bd0bca0709653a214061fd02145f69549d9794888df211053868c304d6af2719d90f6eeb884429033a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\26109

Filesize
8KB

MD5
1810bae708dd6264126b281ce97a9c4c

SHA1
793c4d52cdd334f057101109fa063fde82b1f7a0

SHA256
99c4187fd278ad1afd380c879e9c375b609bd2a54ccd590f5eeb19d04d873ece

SHA512
f97e6f8ec03bd60fb6704afed9aecee7f35d8dbbe0e70f0594241c0965caac6d872d1985f0c38989af2ba3ad69f81998774394be3a4c0b674eaf0413f1ab7792

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\27378

Filesize
9KB

MD5
3afc5797c2f7b8b8f0626ba2cad91511

SHA1
49040bcba770f641d2578b8e822b9b783b592f24

SHA256
9dca1d1d33cf7b58944c236b79efb83ee8f61bfc2030d13002d8947803680127

SHA512
d8498726e3040629fa800591ec17c475c9d123f7af9426d5f2f12a23ddd50e855c8800ba4b7a15d5abde497473146628e4d601d4dcefbdf48e287bdcd9eccfb2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\31464

Filesize
8KB

MD5
a9269449cf64f3145666a3cfc2a4ab84

SHA1
c52e54819f3fac1ad9610e040d04e3c8c74700d0

SHA256
57c4f05dd75198f167623209551d2939d19f01daf924d6c2aa4fb0e75ed9e5a4

SHA512
ac84c7a2c24a3c423ae06afe5105ac0cd1eca867c0737a609ec31a4d86fb2846e380f20b76d0466b98996be5e389d6e598946d9bc914d13018ecf34a9ad5a878

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\32413

Filesize
12KB

MD5
a38d2c0625f3cbe84a08ae8951ad39b8

SHA1
18ba81b8c07363d82adbb165d3404d80dd698bf8

SHA256
5e48ee91375979d7dd578dc098a149a268eacb40684b57073c87254ef5cd5187

SHA512
64449abeb3f82c8ec99787e0354491fd8b597e40714b6422be050c7ad3960ef1a899c21c485c0ef3217891c07464938540b3e704093ae9fdb826a3534e3b42b0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\4407

Filesize
9KB

MD5
725577debd83d76cc0a1c6206f970a06

SHA1
bd9ec5124d0ee609ace66c4c2a6cd8fc0cc8dab2

SHA256
813d4f6b1bf6da22dffaeae7ba6202bcc842d7bf6b1ec55e7050ec422c095093

SHA512
68ad853617dae695634b024e9229190ee7e459376a4569d6faf20c9f567583acc6b1389b297656e036f2514de6093650975925885a09d02dc2363b1d34393a34

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\58

Filesize
9KB

MD5
8b12a4cfdb98c79731ffb40eb54c20a4

SHA1
2e2d4a29b58183f7eba9de95913d839afd14fec1

SHA256
a98be5d13e85ecfee97db8795f9ec911e1d2f750632550ee26f27b9f8b30f402

SHA512
d4730c466ef002409effc0ebae33d762c108372b68a243ff8a2f78e71cd09a5947fbb16d47e1b6af5bb6da1d942793d3bf282fa1cda1afe65a76af0a5185b7dc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\843

Filesize
10KB

MD5
4971994a09a396a81ba713f05b6fe90e

SHA1
29d4501707379d1f1ef798a9e6871e38a4026992

SHA256
78fe07b293d748db34820b61dae4a625c30d1e80a88b0b9c11c127845ae23270

SHA512
1783b23fe6f4eb3143b0a1f7d6af80dd34c038f42ad797cdf6411c3032039856fe9348d78ba82938d21bb5d82fe48a64670f7a0858fb43b01fd28c3e822c5c4e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\doomed\995

Filesize
10KB

MD5
3cf0a65b8d70d5da6a31c9a63996e9d0

SHA1
3a1d6ac2d9b77da6534e785541fbfcc70897e6ce

SHA256
9a5122f43096bf493c79587d5f4d79d8d29260ca87b09929e702d6996a84b3ec

SHA512
a076b3ed73ba4ba83be7a87306760e6df3d3e3acd422f60d26b0ced845643b214835ed135f35f6d7e3ab6664fe77cdacc737b9199cff7f0d4505a708f00b5210

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\0315C2CEAC4A041AD91BAB86AEABA44AEC898C8D

Filesize
1.1MB

MD5
84815a7fb5ac47162307db65f14bd712

SHA1
e1cc6609fc1d92b482172ffef12b9739851ddc57

SHA256
2d80cb991c97df2663ef3095e10577c77a628a8c8a8fc7bd35ddd3e2f6278b40

SHA512
36a6ba1cd3293a8289471f0fbb5f45f39f212f9d2f021b0e28d2e3bfd766c76a664e4a5895e04e4951783253c06ecc67eca7a862f010e34f706adad2de020969

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\0BB1052482BD8E79339105FD722AD409F4745887

Filesize
119KB

MD5
a3cd3fca5a9fcfe4c1d5b67f3ed544cd

SHA1
8f531654dcfa6f1cb37c4cc0cb11da4a39bc4a4b

SHA256
f82b1b414ccb57a4fea7cc7196c8d67f1bf2b40288ff4e24cee9e8204ac6b0ea

SHA512
19a31469eca6048e1f6874fa6e0e732317d4f9797e7621a65c6a7f82d4c1df277ccb2c318b8f4f0537a0c1a07a8df62540e19647b8ea4b514fdb899a84a61b51

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\0CAEF7F888B762E2BA192BCD450FFE1DFD4D8CA9

Filesize
57KB

MD5
27dbab5ae21025ac835147aa6a284f41

SHA1
2041383c6986fe7042739f0a96f7ff117abb21e5

SHA256
6539465eba34115c6abf14648dc08006fa07cc49f4e431d6a7f1f47ef1e25ddc

SHA512
71a649c5ac879b910b99d1afc0614f6e295353d9fb2ffa7a98a88356cd6721a6a342817d5dc8afd34a1d2e5eb8e17d9d75fe3ad6d31e8fa5dd6abf069f35f038

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\0E51AD3D4F034907905049ABDCE2704B3FB04784

Filesize
20KB

MD5
1d1a869986fa95b4368ffbd471f33646

SHA1
58852463b721851aa0fb41a7993870b884540d7f

SHA256
9c87394d99952d6bf2c9718feb441f51584386c13a0218767c340e5a863198a1

SHA512
b0084f5f4e57afc8a0dee504ef16178fae9f4d8e29b3c38a51a0c2b3b03e0318620742f4d47a376d15ad83f660acbf837e89f477095dd12152f2ec082ca107a6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\1485C83D0EE3B0E38F91003A689E74B2DEC64063

Filesize
1.9MB

MD5
3d3478279ed5432bff80637ed89e9617

SHA1
41e6e051df8fe4c2a7fd737c33030fba032c9441

SHA256
7a865e554fdc1c48545e7fbe2a79403ad2ebdcc06a69ad9f529b2be77e03e43a

SHA512
244c43e8dcda0844a073771b9611e81ce8fbb119572ba31dfbd64c04ca6dc67c9fd461ce87dcb10ec7cd5c572727bcba41a26d47d3750e5aab5b548a934863fa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\2A2858AF962DFDD41C4223B7B9B1890D806D7FFB

Filesize
16KB

MD5
d3795b17d44cfe38568a878817dbd63b

SHA1
349cb01f1ed1bbf17a240ec86b86bf628ffb13de

SHA256
acada5267489cc965fc8ce2c182ff7f6bcd72dc348f85a5784076ad8dbe5ae82

SHA512
ceb9f1aa7878d970df9428a7ff00d1db422e8a93714894d9b1143e08a431289491ba3b2840a0df44b9f5eac6f695d0e6d2a32bbe3d03314023e151e2f5690136

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\2CF97810EEA51AEB1C15B5F3E78A5D694D2E7733

Filesize
428KB

MD5
6174533414b4bc2945fb44a9e89ccb0c

SHA1
03b14cb707fa9de38a0340a0d0a31d19cbbeef9a

SHA256
5cd8e160456494f4741a247f065a645cba7562756d4f20944eeba8cd52b3aee8

SHA512
c415f32ac2dd60b03cb37d371efdb8b843852a487bf3f4e82bd4fc31c7756db56e35191b316e015567e1554b3ccbf6b8a57ea215de9cb09eefe1af82b9b21035

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\2F7BBB5065B7D1270C0044C1EBCFA4478AB7FE36

Filesize
66KB

MD5
bee67ba8e487819c653e2c7c4ccc6ea7

SHA1
b79feca094a79028e4df23f4be16e8661d9b3a37

SHA256
0d159500566361e06401214ffe1d16f3bd368e359aef847cf231446d67d2a38a

SHA512
3c600ed1646285d7d04fb438ab3f6f2eb408107c283449f11dd56b0cc821e2302a81714cc729131d778dc2ae98f63ba6267f45dda6282296b85c053a6478f6ce

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\2FB174BB6EC11CF667710769DCCEA2FA34D7BEC9

Filesize
416KB

MD5
f77d42427533c01b4b9ac471a798ca92

SHA1
05afb42038ef71a4c02d502effb71dbe3a27b497

SHA256
4534b620306fa67e7a6ac747754216ac2dbf56c0d1c9bf2d54d3530f3350acd3

SHA512
73a4268d2a625144853005ae8acb9bba41a012b25edfbdc1b98a6ed1443d204e76c3788a0c930493e68c7da19b2a9a326e92f665fcdef978e60d60b36e1a8dd0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\3AE8A7630FA301F782F91C341869CFEB9C2E9519

Filesize
16KB

MD5
2f24e7aec569e09e69872e558b0c6d7f

SHA1
fca95957cf5718e7692ca16197158ea91cf076f3

SHA256
2f850abc43ed765a93427f8b1b3d91c9603e3c075dfac6de871716939ea51035

SHA512
555312e8282ab17f1faaa3ecd6fd2d9f5c46cebea19777dfd852971585c3c7e8cdd49b98e6d7d944e31d1fe7564701a262a9f1b745e43a35557ece1b5d802937

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\3B985A7E19FE52D9E256F60DABEED28D4F212512

Filesize
66KB

MD5
e64c358a40bbce4cc7d65bb6bdd453e4

SHA1
46b2e1e755fe9985b20e39098f62c97fc8262375

SHA256
d2f52f3abdaa1e1246cf90866bef03c9bcc7637f4b89cc3cfb78b7f58e8e7d5a

SHA512
f85e380ff19d6cf9fb9fd0b80e7d9500a8c294585c19c9bcbc8c04a6f2786e04e19bf03342b3324cdcb92b7ed6c23053a94814f7f60f63a8453b6ad597b3962c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\418DE5AFE8EC3611B80C9C9705307007F14894B6

Filesize
104KB

MD5
52592e4d81c44b781ac0abfbf786c256

SHA1
d0a567f142d5594a816179e56d554060c182b6b4

SHA256
73d789a2489c4a57745ed793c74bb2388400b4da3e8bc1a650705caa635c91ed

SHA512
cfb33aacc291b0f3c4c8b7db85b2bfc8dc27106b6d9643bfff6042697ce324e52997176e49dce9f5f1896fe4655ad388b400d5e77dac4090f3abd4aa8a94b14f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\43AF6A0B96B65E9C285379BBE64C9DF77572921F

Filesize
1.3MB

MD5
15615c416818075dba76adc448612b8e

SHA1
901f5179e40f4165f56a8be02160462b317846a9

SHA256
db915479b1f0bc0cff9184082a686bab67500ade82af08072340bc1d8f029cfd

SHA512
7914feb23acce901dac409c11e947312464b901794c9fc9dc3e0880b706000d7aa7d62bd153a6dd8d4757af1b6062cbac8f4db38fcb5314f92532de8f80a6c61

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\46C625DB4964C00323A8EF4C60828B52A454EBB4

Filesize
1.1MB

MD5
47364d5cc76bf755bbd94e06ae44b60f

SHA1
f1cdd575576d51e77f1d9d589458e22d83caa5b5

SHA256
df9113f447e4c902fa534aa6486ff6d1defb1c1d7cd9a2dea150ae305493b5d7

SHA512
b6dd3a091bbb0fe83829284fcf846e8ba966490f5897be923bc401831588a02809a1335927859f443fc9314174e94200aa2ee882bc1a8a7262a349d67daf6cd9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\4832D199584363B876D3E7D57CA02A9B0F4D91CD

Filesize
13KB

MD5
59377cdfeb899f400797a775013f3f09

SHA1
a07915cced96354c37e110ed4d85c02575661299

SHA256
a3f60922d3340616f39c05f52b40dfd73de720aba3c454c0fcd931a354144812

SHA512
00e2c9b991f83110285359f29470c1813910671b148766c2282e3b98bb3ec0b0d4c4d29f15dd421179354cd8f2d80d37309c2f6cfced5c092360aaf821a200ce

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\4DA9C528416A77B90E10C4E946B9623AB3D72891

Filesize
203KB

MD5
117e3cd0f51dd04143a7ffc2487ccaa8

SHA1
0ad4f98751e99f9eb9b608c095d0c900bb995dcf

SHA256
6cfcefd66a4f5aab896474011c551666d72d1ece576da338ccd42f392c198675

SHA512
79b0059bf760baf30e6c4a812914db91fa29068ce27bbf2250385d5bb58f7948dae80d68c09f5d5f066e527212c038f30a38f7048ec87740b7ccc0c6601779d3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\5524427E76785200FACC0DF8A5808E07217D7E24

Filesize
14KB

MD5
d68ce9b181e6fabe7fd27fc6152982c2

SHA1
45f6e1afef3154f005b1632ab27138b748de56fe

SHA256
16f0214aada2d22ed9facaad8cc461b05205a044eb461f034906921c7c89c351

SHA512
5965a7c6b87a5a68e068421dea2461c5db50bb38f009ddbcbc2a44f2ab9a817f6ab5757c5275af5faed9e227e9a73a1ce72dcaa39a36dfe54237e14e69e8d93d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\5AE6D89F9E02E65CE57A707F37A56F985F9BE4BA

Filesize
68KB

MD5
7594c76da1b9454ff918d29ba2964802

SHA1
c3589877c6b4bf012ad624dd27bd2211281dc114

SHA256
b0203f2c47813aa08d1334157ec98cf6915c9e5f76f9fe37bdcd6966e8b07c6f

SHA512
e1f13d63bf3e51319667fd82d9d2f615dfea34d7691022ae852941b45e43664578fd3df3c69fce7cd3361acc6b4afc1363a4f430aaf5b941009c7b50c16406cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\5F7C5BAD797CD29011DA2E9AFF41794C865AB8FA

Filesize
95KB

MD5
afb07d7f329eaa4678da3df3d40aa307

SHA1
987feb978b12245ec061edbd696e1c21326ca2e3

SHA256
386a3d30b551e5a681090f144a93c0d367b5486ca2ad772b3a9f94f9997c7d37

SHA512
5a676bf074aa49941dc53d480642ffe2bde89343fc5d5c35d5b7db847f809e7fe068204517a4f787077a83c39eb12b9f3ba5867f040ebfcff2a844760b3cb04c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\6171C3DCD3501947A8FD700724EF6121B8CDBFBC

Filesize
13KB

MD5
a2002e379819be319e180704f12f0b54

SHA1
55ae12461ebbb8b7815f2b102c7504c09431879f

SHA256
89660f743175614a1fcf08c7776c7d8c28389433f4cc249af147bb5245df2f01

SHA512
2f4a16a49a21c1fe40e73106cdefedc0c8c6b1e352d667e07f069ac9ee3645b2d05845f434e005b941bee42c46f9f73193b37ecc05521a567232b29fbe1f1a54

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\64734067DA3FCAD3A190A95377C1AC95EC2B62AF

Filesize
314KB

MD5
b13a0e6ff3117342157adf7cd0d4464a

SHA1
2b77baab4d68efc7b7bcb84c3df8020f31a814b0

SHA256
210432e9b4b6e16fbba8cb92771f411ec8415de9c6a958860e0576d92a28a565

SHA512
be81a49afd244b0ad88804b72838aea7c5265103d3e10dee998e0c1e44c278d6ecb254b7c8697a7551c0fd6f8136e1280c7132b451dc718259c65ad41c41f743

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\688D5E5894643BBC2304962D5CFF2AB2E021DCF8

Filesize
20KB

MD5
0ea8d70f6daef949c1d420bfbb27811a

SHA1
fe089e452153fc5f78e84ddcb2846dabb6bf6078

SHA256
de85f05da0f00c1d2e78a6b5b210ab379b0691249d2effdbc9471214bc1acb49

SHA512
0fbdf3db793305a2389b1d321723c6c414aca805b7a86c9b0c15e27ae7752344a5b3d88b5fb9ecfcd6a456ccdc700c1c4c8263e17698e3e19117b063c54a6059

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\6AFB400FA829226E5A4C4BDE9C2BEFAFB87551AE

Filesize
148KB

MD5
f772ca8ea1992a07d0907c47a8e3a98f

SHA1
08ab319a19227895072c062dacfbe8e79c4605c0

SHA256
b8dc08f3ec626e28303aec58e5519e11df140384f291ef72fd500804501d382f

SHA512
ce7615f09dd7bb3e41492eca71453607f114740a735e9634432d6be26e13b87239f40b21dde24bf78c9fc7c97af11feb2c36e3a626d87072f2030e2a88dc63b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\785F50524FF3C02A52C098E28143042DAF171145

Filesize
16.0MB

MD5
2faa72070a860d8d6491f6c92a970898

SHA1
7930f62ae0cb77ce84b3fbe732b75c15b738be6f

SHA256
25ffb15c6f4edeab2df25712a2978474ede9cd5ddd2122aa336fc255d08f390c

SHA512
455abf4c421472da96f43dd13fa84065634eb3bf640b4ec58a2f6468e84fab2c374f3a554eeff0e9b6d209d86acfdcacbf85c8fa9addc5d27701f910a89872dc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\80318DF907B0618B0874F67E7D69731CFE67AD19

Filesize
406KB

MD5
33961749e69c78b0026c5362ba9d5cdd

SHA1
ecacf0ea12b9b269cf82b46dc4fa33ebf6ad1ef5

SHA256
4d7d895749964c8b34de3523ed63228d10fc4013d6ae0c154f0f44954493eb2b

SHA512
ff6f6fb61230f9dbf9b6c9bac78190173da1b6887794b5577aaa9a2bc09392b00b61357d7901523e64ebae3ab5204d71fd0cd749fc439563fc37c9c055b9ccca

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\808BC36D5E9DE184874BDC07663DC9A0B0D56DD0

Filesize
62KB

MD5
9402c039c7844522d64da67dbfffcaea

SHA1
4a18825fe088c91b970c8482a0d294db64e5d5cd

SHA256
efa00620a47ecd0253e50943c90264cabe15da6278dd0ddfcaf72927b98a7ff6

SHA512
78d485e1b42d81c8a679363bf34395d7ed74db9b038c5e9ff3f1b984341e5c89db1dd0f407775bac289f7c5a5711f0a0a578a6c6d3ea43c720f9f82391215f71

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\80BB96996C8133B0FE5E0D6E5EA21B26135E8EA2

Filesize
111KB

MD5
a74354e5349f6b5838ba3e82c6acb185

SHA1
af439344acef04da117ba24181f7326471c01140

SHA256
3d7948385b5bbe236bc044c18eeff56463facbb04acecdce9b5085d353eae003

SHA512
39b520f358631983e87601d17afa000640021b54a4f7467304cd7ea2cad18e3e877814d63d0416934639e737aa7ad8e2108fa708a2a04f9b301171f157511841

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\818D6913D1EF98264BBC58767F6D6D22E497C6EB

Filesize
166KB

MD5
13bf4dc7ced79dde9ddaef12ea4bb717

SHA1
82f158633c230e0c4f7655557f5c2bb0babf5b9f

SHA256
97a613ad7f1db32d070961ded2bdb71e7423c78ecbaeea7d55eacda47086fffb

SHA512
2f3ef8d50698e100543308cd289ce29cca15a5fecb5545bf1b2fea09bdbdbf825ff642ff19251cbd5671d689ccafa96b3ce6765206b6d89e3846ae41d3d893ff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\8DB601393A5F78E59A443514D8C4C6672A0FAAC0

Filesize
114KB

MD5
343d3e190bb3eb117ff4c71249c5f708

SHA1
275580dde1719f6a3fdb0c0c8ad30fffe434a93c

SHA256
cdac60d82b0599877309b22b0c5b9dde1b464ec71e5b9239079392da8aacbcde

SHA512
2ea1dc582a3922632a51c0e6bb99e696004e8690fcd2a4a2957d5f1931443cf4a73a3e1f49da2c3023358c40865215b4f3af11d722d3ccf7eb9df7d15e44fe71

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\8F7F9291CD952103DE4E1E0D99EF3B5370FFB701

Filesize
85KB

MD5
90a227c9c2a300c02167515d8c3d9aff

SHA1
f944f2f49688f7e8ca6534d5ef89b6dfda13437e

SHA256
a67c4bfac163edb2e5d8b549e86867e5960a5f7a6f6b16547127a243ac0736ed

SHA512
189fa7b8dd32c9355631b9d845da7bef2180799e038f764c4022e80904370291d8243f3d648b8f2d130ea86b1ed4231f9c82eebad1ae5456a6aa842e57b3842f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\971254C7341460E85C93D0821B91E9985A0B32D6

Filesize
2.0MB

MD5
6cdb68b481033c3b50e2d691b8c0b1de

SHA1
76a2c8adc263b40f2fef8f4e49d1451f9facaf17

SHA256
ab606693e1a487322b594ea474a9f44d69075d8364e3bff15a7cdb6e0beeb69c

SHA512
fd952447b74b991ce52c4c1e5292702e90a8dc6b63ad443e4e82ad9f8caff073aac00625a1cbae4bae349701d6d30f7067191515c935251e5f4ff6941186f1df

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\98E7CB868A0E2CCBB49693CA594496B2A4BD01CC

Filesize
1.3MB

MD5
0ebefa0f16231cb718b225828d0ece69

SHA1
b16821a22eaf59940ac1c1bb85d19196e388a965

SHA256
73b9c0b4e6240a28183ec44a5063ab18d70dd2b34c2d29a3e89809fc0fbcee14

SHA512
601711de3daefcfecbab0547d274d93b651b8e219d1faa8213afc75ecc53c9f9276cca5cee824a402e2a3a7ddb483fd0d6a70fdff16d8426c3f3e6532029f8d9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\9E8A0382CB901824B91B7935D72CCCCD3E431522

Filesize
85KB

MD5
4fbe18c24ae225c9fbd97fb7747d839f

SHA1
9a35ad837fa306095e183582b5a6015805b32416

SHA256
41d456d9fb39670c3fa4c7cc2c2b23d5d56b42dda836bfc5b084828c39dfd25e

SHA512
9de027d3cefdd49f43eaf33bb3005bc0e0f38560d3de1adf879ea95be79d9fcb2e534f553df4d4a027ddecee76a4b0bcc05aff1a837df471f2a5c83671a2833d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\A6A38697D2C736A4A1943D0FFE9EF5335ACD50B8

Filesize
346KB

MD5
b99b858b11107512e3f5276fbfaf5f8c

SHA1
3b73854a37a142e0d62138681a945a021f3af50c

SHA256
49d76b636db31239c73ee39e001253c8efa7195f78ecee541b0d3ec813d716f1

SHA512
bea9dfc03d0c1e11c6f03444dc1a6aa98eecbfea5f766933b6c760580682160b6cd0ea9690edd167027a3bdf4679433ca9c4115eee098fe50f6916f40b95cadc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\AD525AE91F8D63419653596829AB9B1342CB5750

Filesize
1.0MB

MD5
4ca0a3b41af470bacc0fe59b1236dfeb

SHA1
36164937844d632da0f331311c5dbddae4301c83

SHA256
ecdd03590e30774d28a480ab76ae62b6aae3cfd0b7e2943f04bf65ceb963fbdf

SHA512
e167bb0324b16181bb490219bb866d90eb7802814943d3ef59befeb9a46a00b9f25bd47645a3d99e1e7282764f6fe5a5b45c56f13a61a6ce82d5c2197c644835

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\B6CC53B0972D295D54F95FA82A5838EC5616B026

Filesize
322KB

MD5
8d09e7f3391024bf143a924c9ea1aaf4

SHA1
c5e622f3795a3d5b0c53d0c8b5278a5fa8ecfa1b

SHA256
b16bc54525d3e5e18803928b0ac99f460951ed23bc282b105ccf2e89afe5c95b

SHA512
c0b7444e1f7b601203ff555e9325d0b06be4bd2878c353094d89d48577b4c0437ff57c677fd5eebaa25e8a89bdce5cd2e9cbe055e8b471f26b18e8cbe4513870

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\B8953C9CE846AEF79A17A09C295C86EA92208F3D

Filesize
18KB

MD5
69290bc635a788ecdbdab3618bd6030c

SHA1
0aec325ae59d870487b94bd10e8e0ce5367f30a2

SHA256
6a7e3ff8ebc1bc1ae100e842f38ab2db1c8b2433388f7f8750306af66b85bdf3

SHA512
3d054b09d47dd99244241a4924e36e19bd86d9ba4641570f118b480fd6bc432cc35460400a5ef3d763eece917022d74eeec424d5e8be3fbf6d42254abe446fbe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\D00C5AB7163622D1A89922B1B8D2B7BA497A6500

Filesize
427KB

MD5
b36fc01b619b8166750b220f0bf1e4aa

SHA1
2750e083691d3288e9e133671283318fdd8ecc25

SHA256
b398fc0ae23755842852cdb16f631d78d26848a1d66a43b488a27b741b0c61bd

SHA512
f5e29c1cf3f9a592b6b6c1dfc8a893ad5c1bdc51259c982bb538175b7e449e1a027e780495f99a9e1728b203f777d6555335f63d3a0853147331c098731bbea7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\DAA299C6A34521D0823A4FA505F836A037B3AA7F

Filesize
138KB

MD5
e1b3bfca81c548497f15f94ab914a764

SHA1
a826137c09f5e94cb364a7d605f3b5b787fc0456

SHA256
82c08c6b9cb7aac06fe6ed2dbe3ddbda4c98e0542617f5dd96a158a6c10c1cc9

SHA512
4676cc28efa630ae7db16e023f0f9c1b0292f0a145866dfeb12dbc1683fab4fec215cdeeab83ab3909a3ba5ac5b1a60d96b294ad6704dc4623ac39c7ee9220fc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\DC9D9F0C28D6EBD1ADC348DC29248B1D4BA307F3

Filesize
13KB

MD5
6cff2a1d322562e5f4285f67024618ab

SHA1
af88534de1dfa68bffa232c86c5578a7f2336707

SHA256
d80a2c8bbf7c97f5171cb887128e57c43cb2358a3cd02520c2f7853ac11d158b

SHA512
9ac724383a40a9d153560d5e9bb0dc90e7e7db37b4b387ee27c6f6c023afaa86c2813900b161387fc0c099d61fba54f82c7b0cb3de20c7a1d644ea4fe4de6c73

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\DF2965EB1A2283EED52CBA70B49B557455C413E8

Filesize
120KB

MD5
f8c1d5ab585c99b2bd8c4af025160e61

SHA1
3fb94abebb1bf57c8b1d592bf0cb39ef61e7a76e

SHA256
ce41bdd519af232a5a48d3a4e247f046c4fcc7b2b4644847d506250ca663ab46

SHA512
50a9fe20bcfad4b48504229729debb94f905a684615203b8ee8b1855187802e41e8b318a3d11cfd4a3185f9289fa2902d0eb1d7ef20af9ebc00ae8c35eff5328

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\E2195B15E085550C47C77CCD6B686DD370076298

Filesize
277KB

MD5
e92e9560604b5f084407747b2c4e8753

SHA1
4584dcf5ce8a604dbab7d3810eab7ac647e60e0f

SHA256
9fca0f99d90fc3d63c57b9c18b41af8b6b00ce92397c83b48f61941022046c58

SHA512
c4ea8034c5324fdd34eee4c2dac3d6b7bc47cac99cd03b772bd9b762318452fedda1d9c163fbb5283406e5a59ce065794750feb24e74dbb0825554e36325fd05

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\EFA5961038C7165DCEA062446BB74783C749B259

Filesize
82KB

MD5
c9a2689c26b0ee4e53cb69374f691c44

SHA1
bfadd9c2cbe4f078cf1b09ea0d0110aea091dca2

SHA256
540c41d40513d32cf5ea20ca67c926b30669492f3207ebd08ea630987fdc1b79

SHA512
9df51c93931ef344faf113ebb78f632a15e9f5fec7687f720e5275f2b536fa4714d3e99443f5608ca3d61d52da3bf07c108dd773145fc100e34225d0b7cdd67d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\F1024191799870B12785EC8CF95ED4019EE3FD36

Filesize
309KB

MD5
68504814636d7f64c55ba91b878756be

SHA1
b3636fd78f410538a71c6ec06b501008f511a3f9

SHA256
6cc6b7b1f006af2523c57e6e2b589f845622a21139b5c4bb21285892f635aa4e

SHA512
ff4984b221f9621d9660aba9fd481c62acf7c8e680245a780c8206f5ee7416ce164fea967cfee3f6c286d157e9a4c383a34b2f02fe8f5e6b67b6f696603bcbec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\cache2\entries\F56E706FF9BDD17F589006258C8E35B427C64944

Filesize
238KB

MD5
db44089a2f12763bda84348285236e9a

SHA1
c0618c8a2b40a74d4f91e0014c2c6191811479f9

SHA256
95d3d80a4d524cb0dd3b36a74b1cf6dfe6dc0ff6866f1cb53de5f1837eb9d6ea

SHA512
81f6add0db78161d2ad01d8f11dc694b35de4f938c086985fdd42ddf01f1cf6ad567472283d57c4a3ba35de2edcf038aa4beac709d778e293632ccc5babca1cb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\startupCache\urlCache-new.bin

Filesize
2KB

MD5
95902d2f9b1fd12f243e899ecdeb4e38

SHA1
0fc5463c8527600389a9496fc505a9ff117bbfcc

SHA256
5f6d61a5a55fa21a9b390c0dc0c8260dcafa75e7766bce9df68f5fea42643c99

SHA512
28b34a6bbbc0f3e1cfd392002f36e62141c7c61ef364e6b21d7648c8ca9c117e415efd983829d814546159062bb2c64f2976f1e78d701177a85556ed21a039cc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g596d4s2.default-release\thumbnails\5c95876f594cffb1178b8861f8c741e0.png

Filesize
12KB

MD5
3d17d442a75819bcd7c3065ef4cd1ab0

SHA1
3f0b9e209e9a19bb396a6db2687b21e2e9625ccb

SHA256
378a40b55ea995c71f22efe653ccad94d6eca0bf9f7c823653528f2751b9d946

SHA512
39f340295d6cbcae13a9f9daa886258e7296e2d611f77d60b1d9359297380867154f0b2ccfa670feba95e996eef6d3336556fdddcf75e4e7aa5ca6cd69504b48

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
d90e784a2a95fc1d2e2199b6a907fbc9

SHA1
7e6ec69e4d899a81113a0b623f55e71ffeedeff8

SHA256
558da8426d77dea2c0be69bcca9730a7eb96bf79020b2ecda5509e1756fe4f22

SHA512
761c2722b6d75ecf2fc928f04fe5464ff275c8f6bce07ad7a19ed0e2c1660639c89ec2e38055bae1b5093937cc1d88ea3a481a883a13ee3682d3970c1cd33dca

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
ac5bf590d8e04fc6796c32283e2aa9ad

SHA1
f9f5a5630b7a2131cada626399826c7a1dc513aa

SHA256
e13a4f6ac8c31d70efa7087a4124d18ee1cb91504bff2617c7e15cd19aacdd90

SHA512
abccda090ad3c0ffc932ae8c13f2c19a468f308bdb5185a38d03574043f49336f96e074d13bdf124ee8395820babdbe2977529a92ef781658d0c6811da05c048

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e42cd13b8b0a67b201893520f630cb15

SHA1
e99fe462e27471eff47823a778a7806dae4f69b5

SHA256
e66fa547d3ab930c761b53e1a426c4d088de6963bd8f750c73d8ec117646091a

SHA512
514590b71b833c111ff6b4d544876af04d09d82d7b29dd4610465cd92f5d3ab25e70b7fc6229049d44193da14f0be99e2bec371e9379ac7b946b5c77b98622d6

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network Persistent State~RFe5aad97.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_051jvueo.xmh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dControl.ini

Filesize
2KB

MD5
f573360acced67f82b2306fbac3b0608

SHA1
8103b6500d8ef8265ba81b80664d2a0416f08bb9

SHA256
f332868d7ffdad3dc5717de8626c9b83e51f6756547454d3d019b6e2aecbde76

SHA512
e33280e51576ee2c2ad7c876e912d4b453ecd3d39838e8556948a568d9be280093fdc5bdd017d5a11d09467114eff0058c3fcea438e3998c2badb4028aec5a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD47F.tmp\StdUtils.dll

Filesize
99KB

MD5
98a4efba4e4b566dc3d93d2d9bfcab58

SHA1
8c54ae9fcec30b2beea8b6af4ead0a76d634a536

SHA256
e2ad7736209d62909a356248fce8e554093339b18ef3e6a989a3c278f177ad48

SHA512
2dbc9a71e666ebf782607d3ca108fd47aa6bce1d0ac2a19183cc5187dd342307b64cb88906369784518922a54ac20f408d5a58f77c0ed410e2ccf98e4e9e39a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD47F.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD47F.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD47F.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD47F.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnD47F.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\db\data.safe.bin

Filesize
5KB

MD5
81bb22cac6479c4570c03f504cc6fc33

SHA1
2b5bc0bcf139bbbca1532f61bd47c337930e96c2

SHA256
599cff874c14be0b2806ec8dbcf605e52c1d64edf8d9e1bde2b77ff08dd7d6ea

SHA512
7596e6db7d92348990e556e4e937662f62274d40fb65737a49d48d9eff222b96e14fb49f007c22d7ea41ba1d078c552baf8f61182f76588e32ebf470a0395170

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\db\data.safe.bin

Filesize
6KB

MD5
b96fae86aff5b48a4d8393205a78a687

SHA1
5aba20261eeae8b215f9f6ce7fce16bcf656cdc8

SHA256
75e46f309bf0abb13902027ddbef251fdd021134b10bb978e5a512f24dc03231

SHA512
a8a5366bab6598e4bf44572f88c3b6d391f014e5b291061fbf84c9c4a80e746e709a1797a1d5baedad55ca1c598c2c8f36aa11cbe08f2560b781ff9bb6a2b672

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
a4d120f6f8079b983d1aee3854eb030e

SHA1
71ddbdea56d3025ae532f943478e3c124155cbb8

SHA256
9922c7555e10156af9a8ab4bb401d017612d3cb89cfb465766bbc34f5bc6a294

SHA512
8fc72b6c512480c521b9aa68859214a46e8d5a0f6a9884c5760163d2f7a848318f85470e1850cae19956c5d29313f3ad76bd1927572217ae33843ab5a933b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\db\data.safe.bin

Filesize
6KB

MD5
d7075ee01fdbe433a3563b9af867c971

SHA1
8d180498502a5a4da6cb13990770ec9312d95cf0

SHA256
39e9e4ea365d9f9a922fe71eb2f0098de3296a0d86350bc153927707f7ab1804

SHA512
634a56fd712c20f6d53285fd20242e74b71e9948c6ad138a9cd6b7d8366ec6655a5f4108dad88989e0a7422f793b8a74f158b5771ebe1d83cff98ec0a6486c24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\db\data.safe.bin

Filesize
6KB

MD5
8807314c4f29a00d167ca7a87d95a690

SHA1
0813530312beacab0352dd5c43ced3d1f96651f2

SHA256
53eb58dbb5e073802e1a5937d89541df5a93585d7d486cc2a244600ea6da74a5

SHA512
222dcd42d5618e595b411587c80121742d34688fe519ad10e41c9394cdce7e4bc6c2e19c6ab2ad0a5bc325f4c5b54c04c5f92c19de005c2c387aa599cc21b43a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\069edca8-a777-4440-971c-a8c02078e6d4

Filesize
714B

MD5
97c31a2778a6623dd2bd1e060c187618

SHA1
e88c0ed1c2d095c85e2d13ff59b97fdedb810f88

SHA256
d5314effa0218fdc381dfc16d5a26fdf99b8dfec646275f870b8d537e679fd45

SHA512
5ac637aa09f057aba84c0cb07a838faba729be5125fa2ca5a1ba0a459f37004d463b4c63d24eb2b5d761bbc7e4af3f50b1cad8d75b5e7192cd80f3757b8f7b01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\156ae34b-1500-4f5a-a870-f6a98a93f64d

Filesize
713B

MD5
0dc0a9dbc37d28209f3237d6ba10e427

SHA1
e3521051fbab9913faad829f46262aca16ea92bd

SHA256
d3b42fca2e64b23ddc6b74c96e822817ebbdf3741c770aef708279194dbaa47f

SHA512
4c15374c0d8c127ac932d146916425d45fe8ebbebf0fc5a500df6f01cc3d10f2a20ad329b3fc7544128f9d3e3f2e2429e6098ebe99004a1d8c8d883ae6c5318c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\1b214a41-b73f-4e89-8111-98a2c1073354

Filesize
10KB

MD5
815ae42bfbb0e28b2847e56194838620

SHA1
245b71c10854f1ecc9d7659c7fb159b25e0dbfc8

SHA256
d7c3edd18c851d1187acfdbe60bb76656243d42de57aa8561e806fc2b5da288c

SHA512
b9204f9eb78309ed9117a3e4c87017ecb970b6a7d2ca2d35772c0c9bb92b08719ee24f9fbe78656cedceb9c46a015a257907801dd047c1424e55fa0a0c35dcdc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\2b6b086a-85c2-4dce-91de-be5ef813dd9c

Filesize
1KB

MD5
9ea63e86960ed433fdfaa36f132fc7fc

SHA1
eb9df528d7a19382b9aeb1815f8aaf0571dead4f

SHA256
e5857283ecaa72843dbef89f3e95a9c3e5fb0eda2366104554b4659d15939cdc

SHA512
f4306df60692eebc1e236e8881c608fc4b0a98abedd6b5db064e7dae397e668049c7a70142f83bd4fe8e4247bec329b590c0bd2da282ef5183c21ceaf163babd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\7e708ced-e63c-4237-83cd-07823ed13066

Filesize
790B

MD5
aaa6fddd32fcc5ce98317cc3c770e899

SHA1
91cdb5984140d8dd7944389a76bb36d5b10697e0

SHA256
e3073a8558cacebb098d475b9a2a5c0067a2627f8c8d1ef8adf8cceb38accf23

SHA512
daa8aa73d16a37b52edc5f6efb5832cff061dbcdf60e94c188602be26a0d68eee7f2442d28c24643c4d390bcd9fdf41875bded3d9607900b4c8b2350a9ff94ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\7e815c2b-423f-434a-b012-14c83699433c

Filesize
678B

MD5
3e1b7f7f32051cb6807a66ddf3ede3db

SHA1
152cd8dad40c289fcd7f94b8379ace050518cf7d

SHA256
a33217529685dad639da82cdce3f55d997995529e110592473beef8920671984

SHA512
72536e254027a7c665133d77ca23bee056c2aec6d52ff1f5a24fe424b95a9759328c3f23c50819caf48165916389df504c0230402b34b1a6e39af0cc4a1a13e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\aab355c7-545a-4fa0-9b21-790a528a6768

Filesize
746B

MD5
0bfcf541955eafa051661957902d1384

SHA1
a6dcee4062b25e1dc23922a5beaa35db83a5d4d1

SHA256
ee1c0610e700c36de9bcd5f3431883f282eb583391919520fd8b131e4ca1e9c5

SHA512
bd76de335f2c577b6cd1b4142dfa46c7e69daf7728aa44dfc77884e5b95a832017c97c902f14c06784a6cb0ed75048c3d79dde20549793917e7873bc20807d88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\bbc598b1-3324-4534-a138-d169f73452a3

Filesize
713B

MD5
994b62bbe3be3a35707007ef47331f64

SHA1
0b5d8661726ce587aa2794efb7fe11e151010238

SHA256
124a20f256332743d5df453b058a3707ee2e19447df7627a97487aca2bcea31c

SHA512
1151b311d7e5a85f2d57376e033630cedceba41055a48f0be09d3bdd713900b544708dbf7e730539276b5cafb5e2f8464aaa7fe19dba40612d9bb598c846d578

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\c7ee842c-17b3-41f3-b2ea-3bf452f7d172

Filesize
1KB

MD5
4752402a2a7fcaa774c0bab167e9baec

SHA1
5d696759ec84287432ba313d0e0672c50864fc1b

SHA256
aa0451da25a04ec248482b8f22fc5600f3c23c67ebada2e12d5e5985d901228d

SHA512
5eb6d717fe4eac4612b561a711ec239e59a92c8fb05d77eeb7324f24d0f92ec7e59ccf51ca724e4ba3c515065d17947b57e94d3199cdaa48ea4b40cab9681bd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\datareporting\glean\pending_pings\fe30d910-1b7c-4682-9787-2cc3c608ca37

Filesize
839B

MD5
e1a560277465aa65efb43d014b2cf768

SHA1
8f410e705a771ec9ee8ed954301e5b7560fa2666

SHA256
a256fd0b9e46c3552979eecc895fdaccd81eb49d3b4a0976512d0991aafd6ce4

SHA512
be694641e2f1a781fcbe4ba1e1af0f6a8e049e9a24af50d330e20365ea951d2bb13d4e6dd8060206c112041f34b3c2d26f6bfd0c856a9c291dc04a0c11ac53b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\places.sqlite

Filesize
5.0MB

MD5
7441ef0323000093406088e3834bcc26

SHA1
cc4691abaad7468908241104f9f84189e5792d8e

SHA256
cc9e38e6bb7c2fe78d44257c6cc8e1d9957b23ffcbb3b5022d3015c48d81d220

SHA512
6012d88ff5a8ea4edbdc0d57e3e7677a9f019e42e55e50d350f9013a0a241ee9665d3b9afabd5141bb352c56957e3b419ce8b9ec7d3e4b7224a9bff61b0c7332

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
6KB

MD5
9c155bea4a90e813f1f28077036a36d2

SHA1
c62baa2b77066588123f587b0f813cf8d47bec1b

SHA256
c64fd4948b68574aae9f43ea20dfa91e9526a5d287eea3a1ea9b7172cdca1ee6

SHA512
10e7b470d8a79c70d35431f4522e21ff303efa4559400270b337e07a907e2b291a687d0c4c5db76ef5bd9cec20387a05852250e271d69414cfcce2e1476507f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
6KB

MD5
6a416864f1bbae471c24272b7ec2b825

SHA1
ca072036e3baf942c95a632d9f16fb9b3bd57ead

SHA256
865ed83762af7b0afab7cad351a13665de9838a24e6fa6936c0a11201e1b45b2

SHA512
e6a85dd41e8e50b81e1000c4b2ee5b6ce5a50ea50f9c22486109c4015448b9efe9467d3eab2bf7919563627830b80cf15387d6b83e8744e05af3268a8cb09aef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
6KB

MD5
bd9e6b178e692ee10be6aab47905f0a4

SHA1
0154ffbb9ca031fcb709070de055882659aaf30a

SHA256
52990756ff778a4c0b8564155af3258b8798c542ae67084bf3306e5016082e53

SHA512
f3283f10713b5d5d0918426e990de802e606381b7a696c5356f7f5839cc980ac09cf4842810bfd5edfa78971b0ccc041e27b3d8764fafc995751ce67ed01fb0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
6KB

MD5
1e6c68af1e2a044b6fce71fa01b67097

SHA1
74403e4badb3e7291829f8ed33adf83a19570ec5

SHA256
114673d575f0e2d83893382e52c3f0fdd7aaeddab537473ef7c4e669d9c8632d

SHA512
bc7698c48e4975da5367733e646e399b663f0556e03a040da68ce4df517fb99ec2c102012c9f73ec048a791306e45c5d1a5dd9ba6e939e732e166aefeb66c2d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
6KB

MD5
ee38b4d7210cf070e4511381dc69e3f5

SHA1
8dd8ddb6d6d3dd4c52789b3586d2e24f198f9676

SHA256
4525c24cc926cd2b46d03f0cce42c48d388fbe029d13ed00aa6c1264fde2ca47

SHA512
bcf7d2c0a8e85f8de3b6a054f22ee0ecb285f6fed955290f10385279378d58988915d395fe4d4ca9f8d05e0daf7ebeb19b75cd0628dc03290163ffd628959de8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
6KB

MD5
5f90e5c9b92718792c913fd8625817f0

SHA1
e41076cd32b21a4a5edd480199f5f0f06de562d5

SHA256
205816e3a0c476d63f2886b0fe53af8a98a3808bbed074f16fc826f7da93282d

SHA512
ae1266f7502be5d14b45813c8b27244ae75511e44b7dba0742d9ebb53e4926c34108ef93d2624018bf2f0b4cb565b0b9d2db70ac90d7acacda69aedc82af90b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
6KB

MD5
0a5ccb62d40f3f53835a40fea9e2b15b

SHA1
2ece9b27088a9b01acba2732ba5ce78af1b9a873

SHA256
72b27a0bb45d292e7a19a1c1812477ff3f1cd59e458fae3573414f55ec128dd8

SHA512
5e1ad1ac63aa07e1afc8bbe244aa772f8ff778d3fa8617d872b711c351d8d587221235282d948cc773ecd3a29f745b95fdb0b5e4e9d6e9a3ebeecb2061f27ac2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
6KB

MD5
e9d30b0cb87882b44f60be1d3083e07a

SHA1
5db2b5ce83d38bd528743410dbe4f4340d484e37

SHA256
78ca4491eb06a845b97e4ef4850944d93f321d14bba12b6c541b80f0bb9b4a7c

SHA512
e7220929900fb65a2ed27b82947b15b106a3eba0b2c9a6d63e90919c553ec3fe3f5d8d28ce1ab3b395fbb376cf64d7b7181da87358f063e2c5eefc02c849ea50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\prefs-1.js

Filesize
6KB

MD5
c1ec15b405e28cd8c519a1b04a229213

SHA1
0084b0d7e5be84b191e78ab2355a3af5da121d1c

SHA256
53be7e3dd1ed83871eb76f33fd305c7ce206879b14cbfe0874dcc6aaacf4275a

SHA512
d3c11ef70fc63eb8695387f6089ff8516f38cb006b5279008e540bebe96eeb617f2f23cd117799b6aee8241ab08ba192fc5d4acefe36aec0c7a03cb5628b47b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionCheckpoints.json.tmp

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionCheckpoints.json.tmp

Filesize
181B

MD5
2d87ba02e79c11351c1d478b06ca9b29

SHA1
4b0fb1927ca869256e9e2e2d480c3feb8e67e6f1

SHA256
16b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524

SHA512
be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionCheckpoints.json.tmp

Filesize
228B

MD5
66bdbb6de2094027600e5df8fbbf28f4

SHA1
ce033f719ebce89ac8e5c6f0c9fed58c52eca985

SHA256
df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc

SHA512
18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
6c1573ad002ecdb5fe614b539ccbe629

SHA1
008a8125d93866d253c55072529eb67697f010ee

SHA256
6dfc80024410f192035de193b0a3035d5ea683cd9b7b71302098405d87568e5c

SHA512
633d1b0f2f29f912f99953344589c646876a7c3f26e588c6aed852122606f533b3c19aba739471a0241af31c21777dfe30423eaef08e383e20997930efe0eaa5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
23KB

MD5
d88ff4b0cd8429229a1c402bc459b459

SHA1
5a47e7fd3d690372c177fce7938bf8ec0d09b5ad

SHA256
bdda01071f297f07476b3cc5823b6d255ea44491fe0501aa687de97d95d99512

SHA512
12bbeb9fbeb09feabb7550387ec8378748011df28336886ffcd6a4fe5281833b6f6fc4b010164f66a8f78ec0f1c7773cfe4982fe8184c72eb46a678126f1de70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
cf8269dcebad4fc87ce33ab5d9951a2a

SHA1
48a68b71e8220489df3db33f12f0008eb1f65afc

SHA256
09d03548cc1a8e392bdbf53a66da4ac1391c476f859d9c1b7b9cd355ef20b0e4

SHA512
b9ecc90abd422e47458dd2f823856183707dd11047cb363452b872b5646ecd7242dc51507a750c8b91d24d66285a4c17672e196e2b985187f5d29667fbece47c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c4c8ba2a744ba08680a999e1ab60c3f9

SHA1
9e21af90c8861695c720efe5310b821cf44d63b3

SHA256
675025ecca4381684f0a62c39042a4ec185d762ca0d6b5d577bc1cee73af59b0

SHA512
1550095dcbc7eb578852238e2ac5cb5915b851d33e6a9fc897131ae07b502d1b0e4ddd4ba5fc0fe262bfc992397917e786ba88037f60ca49af4f9073b296f00c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
cb304a57fd8409292ff19787952384fe

SHA1
00bb20a8080deff7486af6b70eafe2ad68c7f1a8

SHA256
4df69cca29c38b08658596d5b5fb7f51a840ac634112c975d7c44985589ffe9b

SHA512
52505e67d79c1a98b02077299f4bb9fe25dcec59acb6229670481de143f5c42e0da98a7c7c6d3f3cb4e12b0d318d0da09398901d8c06d77f2ae287a312d179ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
51fe7add6c96c9a4ebb9bac5d99436c6

SHA1
b0261bfc8b881a92284337130c102c37f82261ad

SHA256
ea11cf8ee9b8b161c6d15ef6842b944b1e1fe0a5ede876ff903473dd0514e597

SHA512
f43ba29761ab03d35c8fad6f79e824ce74636aff556e648f928675e479935431e0bbc1898bc0081d2b54e86515e6c695f62177ea7906943b0e3f33a7d74462a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
26KB

MD5
dd78fecc79342b75200aa24bc35e82ea

SHA1
d1f1c19f9bb0a61c0fe3e6f48d1f68e81bf22732

SHA256
a679729baca29cb323c6643693ba5454d0f8767d3e0ec67ccfed8de765c56534

SHA512
4e0f32c5df59ea43c47df43e5d3c906fc295a6abec877905d4185146494eb93a5ac9d368305bf019e6226b21b8e2911bb6be475acef23a82a6148e5356261d97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
bea5a6bf53f213e3dd1040e0ced928b3

SHA1
cf085ebbc26afc5a87b51ced1d352641673c6281

SHA256
496735e5a47a0c3848689d59e6041a14523ff11f60b93f2df0bfbf79f9e4b859

SHA512
23497e3b091e2f3b919969e6f22a0d25952576156cd9b0197f32e5c0f1a4f97c91cb37410e88540db27ee634b6e3732992a96e6917e79e626524a35b32dc351c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
26KB

MD5
3fc78d96e6fc2912844d7d6625309e23

SHA1
a84f12e17154e079f213b3c6e4368a591b5d1742

SHA256
4ea757fc4d13fc3d7a1e5ab6ec9e09b3fa0553eaf66547f5e3a3ee9925f240d6

SHA512
990a18c9466db33a236501f175962908ad71603acc800214fdcda0435cac99712781ec11f2ac6feb9e0d78c11693f861b5a3fa075bb9dc8fd3ef9b04f71be151

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
50KB

MD5
722c6f80b8c39515d807a68b7963dfbb

SHA1
0a22b87897fb7b23eaa92398b725d1ace6806c63

SHA256
d134aba405823414a45d5685e8fed4c5d3b5ea83b4d5979696fc3280f14dcd31

SHA512
539fee08a91707650f445b02e651a202feab3080efa2f4298891e7840003321ad10bc258c40020bc1db58b7d7a22eeef0acded7a6c83d6cb4f2e6a06dcae7538

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
b80c8c66ca5f088475b1da502089b574

SHA1
d0bdb03f0425af5cb8daee86548bc5d3382a7533

SHA256
40449a49747ac0e886ac6bfff68be7a22800205ca22025af51ce1d61849d02b1

SHA512
e1d22b61556496397ccdb5c5b84e4a8a44ced52427fc2cf1648b8ed8ba4f0b053086d9bd1c99838f1d966c23f3f4d8bdf56df911abdd945d4bb292c6dfc001ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
4ab2102d5fbfaee9f3481ea05eaade63

SHA1
6b5c0262f7a48ec1d0e1d758f530222f984c4815

SHA256
96c44c30732366e442660de84380586fb9387b80c4776b7bd8ffc1cf7dfe2829

SHA512
3e983ef91fbf82fdbe5c39f02e4f2a971ae969fc192fcfd4ab3d74d9f444ffde0f32062e941897f60db8f89fb28744b595eadae2e0dd0c66c9ccca68660129fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
26KB

MD5
c106bec6cfa0f062edead5a1df3b4b00

SHA1
1a54b81901bfe77eff4f87242f46a2a273c6e949

SHA256
64b478edbffeff6c76b96af3272494d534b520e46a64bc25cc2f44df5586506a

SHA512
eeaafcd58a0ae638f9793d59a51bb121fb71495c638e9f6b3d56396960a83cc70ad2fe55314f8c653fae22b1b573eab84639391e4714c7df465b6c5225e55504

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore.jsonlz4

Filesize
46KB

MD5
c024ffd5566e2c82584dc72ebed6cf6b

SHA1
a4d423a17a6178e0f692341e867575e2495b0f40

SHA256
64b6339215f98d3f872abb03d2ec3e308087b06af10140ef93aca74c1676ae30

SHA512
19f4c9f500727730fe5ef6f865ff09566053488b6c6555f8ce055f2f7491dd15228a9560cfdf0f0a415cafe9b0310b3a3c7b5d880b3b158cf1c61c22d274952a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore.jsonlz4

Filesize
24KB

MD5
a9bc78aeb103aec25da4a374234469a7

SHA1
db005823460f8ee811be9fef07bbf33461008256

SHA256
13777a0b3c3e19cddf30d96a5a57039a64371f859f3ca08fecb46e1b0023a4d0

SHA512
951d598463fc2cd0c0652c3146d83b3925a7bb0c1a3548917d03685e022e562dd42b2f37a4111234718094a7731553ebb26f4b52abaa313639931add66c57d0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore.jsonlz4

Filesize
3KB

MD5
5b8c16e49e856370e128222b6431b226

SHA1
f28b67df52affe1d69c94786813a1d9c2b878d01

SHA256
a0bf8c64d06a0487fa109809eba6dd0adad0e41a5948c99ddf5bd0acce47ba7f

SHA512
450ff231493d94073585372705503f2d66c42fc8108414507595105efb3381ca88cc6035c7de3d3f6b5b4ff572a8960102de8fc7a4e6f2e6a2331f09cb530314

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore.jsonlz4

Filesize
7KB

MD5
c7f7641af0ba51e3b0a9da9d1dd9e4a7

SHA1
311097254f273f9195a16c0107849233f86562e7

SHA256
ab7fd65d0994576f6cb1aecf7ee704f866f34e0a27178c541651d9f1cd4307b1

SHA512
203571152b1ab4be6db638f0e538ad6be521a298d3aa98625226c5b4e7060eab187ecf4ebb5430355963a28c166f9725a7f710264b147c0ea976912fc7c3b7ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
a2b8653e00d386c21a17cf2f40dff707

SHA1
43c61fe3a72a0a2771fb4f596545a41e0aa3c111

SHA256
169fec7936acefabd01f79525548ac22d0953c72b7d9467b0e2c67932a58d5c8

SHA512
4739026e4bccd963ee382c1354f2204b83788877afdda4761e964ade827dbfce94ca0c7ecb36fdad37f0dfb9a24e6b1894c50e6e4886037867de471457e20559

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\storage\default\https+++www.google.com^partitionKey=%28https%2Csourceforge.net%29\ls\data.sqlite

Filesize
6KB

MD5
c44c769ce9c3bfddb71a0d6f91e6f4d4

SHA1
14440be5167fcc1cb6ad78c918903510dfa6687c

SHA256
c7bf457673baca597f750a2e9177452d68de64b8785f99d10fc518c4572cf974

SHA512
408fbbb149eb6f3c71f262fc902f0764a8222493713b5dd06a3e6fadc3a28df60ced3629aabfa5a4a775c10469aec972b974cb5e453499f07733917705f68238

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
ceb757ac8347be38f32e1c6613821e6c

SHA1
f4a0193e635a974b8ab3abce9ba9be3d4561585e

SHA256
3d000bc89614bc77aa95b67474129ced3b6d1f6509eea2cfe6e732a26d6a10e5

SHA512
e63cc6a569765cf9f38dd8f2098b5c89449392252524839e2b0a7f52ec016a24112004fee0d58c51eba72785c8d94452e40be4123619cbfecd39266408881310

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\xulstore.json

Filesize
141B

MD5
b847f28acdec63348ea376efd4278d02

SHA1
da4ae0ce914885ad7fe1f89aef3aa4f324747091

SHA256
7e63f727108182d4afdf0ae5131c9e0692d857b934fe8d93a7d4a8cea58fb834

SHA512
07b89826d35c5b9f056c8556ed5dd0a961f779d1aa7639321b90c56ef65bf6706a653a22f7790543b1482414069d5587c1f1c28215e92a7ffdf0fa4a55537c08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g596d4s2.default-release\xulstore.json.tmp

Filesize
217B

MD5
0c8d2affca72687940bfda3c73b943b1

SHA1
1d29b78b6c4a57ae16cda5acdd3fcdc817fb40f1

SHA256
51818b82ba606d41839fe0f3d3669cdaa244174d8b764426cbc5d9de601b2408

SHA512
15c6d606c92d62758c73dc344296d1445947d85e34b86e0d578890e3b72ad0baf7f8b59b5bb8060a52b00f4168a25915b1a52ce0fe65245e51f08604bf90c5a2

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe

Filesize
2.2MB

MD5
70f3bc193dfa56b78f3e6e4f800f701f

SHA1
1e5598f2de49fed2e81f3dd8630c7346a2b89487

SHA256
3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

SHA512
3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier

Filesize
147B

MD5
6fac30c6aeb8579559e615cab61c553e

SHA1
ccaac9d9a91496a2ff6d94272e67ccf853e5d6f8

SHA256
f3340a0498a1387b2e127b112d6c5301fc8701aa5ba7f0948e34b2875b277702

SHA512
10637368708137544065ef625c968ebcdfab6c4fbe63515eb5f40009a7fa45f596c46905d26442d43dc6419207fb73d8a3599e40cf41a2c755a068e724fe3103

Download Submit
C:\Users\Admin\Downloads\SteamSetup.qm0xxoUw.exe.part

Filesize
145KB

MD5
b4f20e8329ca6109d3cc7193bf95f845

SHA1
3c0d496027eb05393d2434f547ed2f2ad5330d8f

SHA256
1da0202d17db594a29b3ed59937884e9015ebf381d102b170074061d6c5fd54f

SHA512
55459455097fe52195df91e062c03b1715706df84cba49fceefd76a5da6aeec034cc3fb4166ad047ac8a85090076dcdc4c8374a9c18813c762e1be81cb997725

Download Submit
C:\Users\Admin\Downloads\wn1AXrT_.txt.part

Filesize
435KB

MD5
9d4ff1bd95e8767c13ab017f9bf6ef88

SHA1
33719120dda6c2580b3819ffe106acd39a0995ed

SHA256
a3ff73134206ae3dc8ab309197c357b94e0711523249b406f1f4b9d1dd481f31

SHA512
2daa0f53b5ff48624cdbbbc4a667853791fc189c77bdd0518db072102dce0d74ad11a6494446d66bf9a4cc54fd4d84f894d906e88a27950dd14a371c01276fdc

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
22KB

MD5
445c7f66cd652f915bed764c6a60c3bf

SHA1
1d920199558272f438b830f5176e07a431666f24

SHA256
472b8c6f4eb4ce131f2590ef3ffcddcfcef57d509cb288b05fab190936a0638d

SHA512
82168f88840a1babcdea46d97d65cd426a6d0b428367996c2ba608ac869bfc81b45e0d26dc14a3f3cab907d8fb9c6423cb739b6785a19f217f565dd0a4c370cc

Download Submit
C:\Windows\Temp\1m9r9k2k.tmp

Filesize
37KB

MD5
e00dcc76e4dcd90994587375125de04b

SHA1
6677d2d6bd096ec1c0a12349540b636088da0e34

SHA256
c8709f5a8b971d136e2273d66e65449791ca8eba1f47dd767733ea52ee635447

SHA512
8df7bc46ef0b2e2d4da6d8f31b102ff4813c6544cb751eb700b79fa0fae780814551b58ec8d19ff29cbf8547709add7eef637a52a217714d1a18b450f6755ec8

Download Submit
C:\Windows\Temp\1m9r9k2k.tmp

Filesize
37KB

MD5
1f8c95b97229e09286b8a531f690c661

SHA1
b15b21c4912267b41861fb351f192849cca68a12

SHA256
557a903f0f2177e3e62b1a534dee554cf2eff3dd3991bc2310f064bf9c7d2152

SHA512
0f0e5b85b6ef73ecebcd70ca90ce54c019eec1ea99966c469f357dd3393d0067f591b3690fe0b7922d7ba4aa25ebefd76a092d28c3377e6035720f8630a1a186

Download Submit
C:\Windows\Temp\3m4r8k0k.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Windows\Temp\aut64D4.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\aut64D5.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\aut64D6.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
memory/288-22-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/288-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/424-97-0x000001A70C960000-0x000001A70C961000-memory.dmp

Filesize
4KB

Download
memory/424-109-0x000001A70C960000-0x000001A70C961000-memory.dmp

Filesize
4KB

Download
memory/424-106-0x000001A70C960000-0x000001A70C961000-memory.dmp

Filesize
4KB

Download
memory/424-99-0x000001A70C960000-0x000001A70C961000-memory.dmp

Filesize
4KB

Download
memory/424-108-0x000001A70C960000-0x000001A70C961000-memory.dmp

Filesize
4KB

Download
memory/424-98-0x000001A70C960000-0x000001A70C961000-memory.dmp

Filesize
4KB

Download
memory/424-103-0x000001A70C960000-0x000001A70C961000-memory.dmp

Filesize
4KB

Download
memory/424-105-0x000001A70C960000-0x000001A70C961000-memory.dmp

Filesize
4KB

Download
memory/424-104-0x000001A70C960000-0x000001A70C961000-memory.dmp

Filesize
4KB

Download
memory/424-107-0x000001A70C960000-0x000001A70C961000-memory.dmp

Filesize
4KB

Download
memory/1512-13459-0x000000006F790000-0x0000000070A87000-memory.dmp

Filesize
19.0MB

Download
memory/1512-13439-0x000000006F790000-0x0000000070A87000-memory.dmp

Filesize
19.0MB

Download
memory/1992-43-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1992-21-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2272-14413-0x00000226D0560000-0x00000226D0570000-memory.dmp

Filesize
64KB

Download
memory/2272-14410-0x00007FFD57D20000-0x00007FFD587E2000-memory.dmp

Filesize
10.8MB

Download
memory/2272-14411-0x00000226D0560000-0x00000226D0570000-memory.dmp

Filesize
64KB

Download
memory/2272-14412-0x00000226D0560000-0x00000226D0570000-memory.dmp

Filesize
64KB

Download
memory/2272-14415-0x00007FFD57D20000-0x00007FFD587E2000-memory.dmp

Filesize
10.8MB

Download
memory/3480-14179-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-1361-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13442-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-125-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-260-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-284-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13599-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-298-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-115-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-114-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-14077-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13736-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-126-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-855-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13738-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13739-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-111-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13741-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-14208-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-110-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-96-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-44-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-95-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-94-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-14364-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-14178-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-124-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13650-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13740-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13742-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13864-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13523-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13432-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13524-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-1241-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-123-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-13743-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-2918-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3480-10218-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3760-13444-0x000001D186DC0000-0x000001D186E63000-memory.dmp

Filesize
652KB

Download
memory/3760-13383-0x00007FFD7BFE0000-0x00007FFD7BFE1000-memory.dmp

Filesize
4KB

Download
memory/3760-13384-0x00007FFD7B560000-0x00007FFD7B561000-memory.dmp

Filesize
4KB

Download
memory/3760-13441-0x000001D187500000-0x000001D1875AF000-memory.dmp

Filesize
700KB

Download
memory/3760-13440-0x000001D186DC0000-0x000001D186E63000-memory.dmp

Filesize
652KB

Download
memory/4624-13343-0x0000000000960000-0x0000000000DD6000-memory.dmp

Filesize
4.5MB

Download
memory/7800-14257-0x00007FFD59270000-0x00007FFD59D32000-memory.dmp

Filesize
10.8MB

Download
memory/7800-14255-0x0000022961DA0000-0x0000022961DB0000-memory.dmp

Filesize
64KB

Download
memory/7800-14254-0x00007FFD59270000-0x00007FFD59D32000-memory.dmp

Filesize
10.8MB

Download
memory/8060-14235-0x00000211DCFC0000-0x00000211DCFD0000-memory.dmp

Filesize
64KB

Download
memory/8060-14245-0x00007FFD59270000-0x00007FFD59D32000-memory.dmp

Filesize
10.8MB

Download
memory/8060-14234-0x00007FFD59270000-0x00007FFD59D32000-memory.dmp

Filesize
10.8MB

Download
memory/8304-14231-0x0000029B28810000-0x0000029B28820000-memory.dmp

Filesize
64KB

Download
memory/8304-14230-0x00007FFD59270000-0x00007FFD59D32000-memory.dmp

Filesize
10.8MB

Download
memory/8304-14233-0x00007FFD59270000-0x00007FFD59D32000-memory.dmp

Filesize
10.8MB

Download
memory/11116-14205-0x0000021820940000-0x0000021820950000-memory.dmp

Filesize
64KB

Download
memory/11116-14200-0x00007FFD59530000-0x00007FFD59FF2000-memory.dmp

Filesize
10.8MB

Download
memory/11116-14207-0x00007FFD59530000-0x00007FFD59FF2000-memory.dmp

Filesize
10.8MB

Download
memory/11116-14204-0x0000021820940000-0x0000021820950000-memory.dmp

Filesize
64KB

Download
memory/11284-14188-0x00000298401B0000-0x00000298401D2000-memory.dmp

Filesize
136KB

Download
memory/11284-14190-0x0000029827420000-0x0000029827430000-memory.dmp

Filesize
64KB

Download
memory/11284-14189-0x00007FFD59530000-0x00007FFD59FF2000-memory.dmp

Filesize
10.8MB

Download
memory/11284-14191-0x0000029827420000-0x0000029827430000-memory.dmp

Filesize
64KB

Download
memory/11284-14194-0x00007FFD59530000-0x00007FFD59FF2000-memory.dmp

Filesize
10.8MB

Download
memory/11696-14268-0x000001A9E8300000-0x000001A9E8310000-memory.dmp

Filesize
64KB

Download
memory/11696-14258-0x00007FFD59270000-0x00007FFD59D32000-memory.dmp

Filesize
10.8MB

Download
memory/11696-14270-0x00007FFD59270000-0x00007FFD59D32000-memory.dmp

Filesize
10.8MB

Download
memory/11696-14267-0x000001A9E8300000-0x000001A9E8310000-memory.dmp

Filesize
64KB

Download
memory/12140-13367-0x00007FFD7B6D0000-0x00007FFD7B6D1000-memory.dmp

Filesize
4KB

Download
memory/12224-14283-0x00007FFD59270000-0x00007FFD59D32000-memory.dmp

Filesize
10.8MB

Download
memory/12224-14272-0x0000022073E10000-0x0000022073E20000-memory.dmp

Filesize
64KB

Download
memory/12224-14271-0x00007FFD59270000-0x00007FFD59D32000-memory.dmp

Filesize
10.8MB

Download
memory/12224-14273-0x0000022073E10000-0x0000022073E20000-memory.dmp

Filesize
64KB

Download
memory/12516-14296-0x00007FFD59270000-0x00007FFD59D32000-memory.dmp

Filesize
10.8MB

Download
memory/12516-14293-0x0000021250310000-0x0000021250320000-memory.dmp

Filesize
64KB

Download
memory/12516-14292-0x00007FFD59270000-0x00007FFD59D32000-memory.dmp

Filesize
10.8MB

Download
memory/12516-14294-0x0000021250310000-0x0000021250320000-memory.dmp

Filesize
64KB

Download
memory/13816-14398-0x00007FFD57D20000-0x00007FFD587E2000-memory.dmp

Filesize
10.8MB

Download
memory/13816-14401-0x00007FFD57D20000-0x00007FFD587E2000-memory.dmp

Filesize
10.8MB

Download
memory/13816-14399-0x00000209579B0000-0x00000209579C0000-memory.dmp

Filesize
64KB

Download
memory/13944-14379-0x000001D86F570000-0x000001D86F580000-memory.dmp

Filesize
64KB

Download
memory/13944-14378-0x00007FFD57D20000-0x00007FFD587E2000-memory.dmp

Filesize
10.8MB

Download
memory/13944-14389-0x00007FFD57D20000-0x00007FFD587E2000-memory.dmp

Filesize
10.8MB

Download
memory/14060-14377-0x00007FFD57D20000-0x00007FFD587E2000-memory.dmp

Filesize
10.8MB

Download
memory/14060-14366-0x0000024F60450000-0x0000024F60460000-memory.dmp

Filesize
64KB

Download
memory/14060-14367-0x0000024F60450000-0x0000024F60460000-memory.dmp

Filesize
64KB

Download
memory/14060-14365-0x00007FFD57D20000-0x00007FFD587E2000-memory.dmp

Filesize
10.8MB

Download
memory/14904-14431-0x00007FFD57D20000-0x00007FFD587E2000-memory.dmp

Filesize
10.8MB

Download
memory/14904-14432-0x00000201E3E50000-0x00000201E3E60000-memory.dmp

Filesize
64KB

Download
memory/14904-14448-0x00007FFD57D20000-0x00007FFD587E2000-memory.dmp

Filesize
10.8MB

Download
memory/15172-14434-0x0000026510D10000-0x0000026510D20000-memory.dmp

Filesize
64KB

Download
memory/15172-14435-0x0000026510D10000-0x0000026510D20000-memory.dmp

Filesize
64KB

Download
memory/15172-14433-0x0000026510D10000-0x0000026510D20000-memory.dmp

Filesize
64KB

Download
memory/15172-14446-0x0000026510D10000-0x0000026510D20000-memory.dmp

Filesize
64KB

Download
memory/15284-14444-0x0000020B64DE0000-0x0000020B64DF0000-memory.dmp

Filesize
64KB

Download
memory/15284-14440-0x0000020B65030000-0x0000020B65040000-memory.dmp

Filesize
64KB

Download
memory/15284-14439-0x0000020B64DE0000-0x0000020B64DF0000-memory.dmp

Filesize
64KB

Download
memory/15284-14438-0x0000020B64DE0000-0x0000020B64DF0000-memory.dmp

Filesize
64KB

Download
memory/15284-14436-0x0000020B64DE0000-0x0000020B64DF0000-memory.dmp

Filesize
64KB

Download
memory/15536-14456-0x0000014197090000-0x00000141970A0000-memory.dmp

Filesize
64KB

Download
memory/15560-14460-0x0000019CB7A70000-0x0000019CB7A80000-memory.dmp

Filesize
64KB

Download
memory/15560-14459-0x0000019CB7850000-0x0000019CB7860000-memory.dmp

Filesize
64KB

Download
memory/23296-14221-0x00007FFD59530000-0x00007FFD59FF2000-memory.dmp

Filesize
10.8MB

Download
memory/23296-14211-0x0000019DB6510000-0x0000019DB6520000-memory.dmp

Filesize
64KB

Download
memory/23296-14210-0x0000019DB6510000-0x0000019DB6520000-memory.dmp

Filesize
64KB

Download
memory/23296-14209-0x00007FFD59530000-0x00007FFD59FF2000-memory.dmp

Filesize
10.8MB

Download