67c5765178fb5b2e53212d422be0a8c69257c0c64990a61704a2c6d1d4e7d0e3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Discord Nitro Generator/start.bat
Size

55B
MD5

b81d7791fc1ff12b1ebabae9a1d2bfdc
SHA1

9b4d3e660ea56671ce100db01c02eaa11bf97347
SHA256

2718a599b6149f9bd4313815fa2e69c2d4c07b9642b3195fdf9fd84acb1d7f97
SHA512

1306699d9a5acf1da21e5ab4bdd223d74451d3513571291cce2e5f446f6596c6d1afd3db7acca3360bfaaf719041a202a562e89ee954a6469134894e0c71ccf2

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5380	SteamSetup.exe
5412	SteamSetup.exe
4528	steamservice.exe

Loads dropped DLL 8 IoCs

pid	Process
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5412	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\Steam.exe	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\bin\SteamService.exe	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt	SteamSetup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Steam\steamservice.exe	steamservice.exe
File created	C:\Program Files (x86)\Common Files\Steam\steamservice.exe	steamservice.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_korean.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\uninstall.exe	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt	SteamSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2132103209-3755304320-2959162027-1000\{26B3C007-8E36-4A20-BB04-22069D9D93A6}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\steam\URL Protocol	steamservice.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 968814.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1880	msedge.exe
1880	msedge.exe
2436	msedge.exe
2436	msedge.exe
2992	msedge.exe
2992	msedge.exe
3292	identity_helper.exe
3292	identity_helper.exe
4200	msedge.exe
4200	msedge.exe
5760	msedge.exe
5760	msedge.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe
5380	SteamSetup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2856	AUDIODG.EXE
Token: SeSecurityPrivilege	4528	steamservice.exe
Token: SeSecurityPrivilege	4528	steamservice.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 1788	4356	msedge.exe	111
PID 4356 wrote to memory of 1788	4356	msedge.exe	111
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1400	4356	msedge.exe	112
PID 4356 wrote to memory of 1880	4356	msedge.exe	113
PID 4356 wrote to memory of 1880	4356	msedge.exe	113
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114
PID 4356 wrote to memory of 1036	4356	msedge.exe	114

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Discord Nitro Generator\start.bat"
1⤵
PID:4448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault6fefb62dh3162h414fh955dh908554e8e049
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff812a46f8,0x7fff812a4708,0x7fff812a4718
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,9783017172924931372,17147938040283984918,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,9783017172924931372,17147938040283984918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,9783017172924931372,17147938040283984918,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 /prefetch:8
  2⤵
  PID:1036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff812a46f8,0x7fff812a4708,0x7fff812a4718
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,17924946858322376790,4484950494839116895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5760
- C:\Users\Admin\Downloads\SteamSetup.exe
  "C:\Users\Admin\Downloads\SteamSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5380
- - C:\Program Files (x86)\Steam\bin\steamservice.exe
    "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- C:\Users\Admin\Downloads\SteamSetup.exe
  "C:\Users\Admin\Downloads\SteamSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.1MB

MD5
b4411620a3551834e4f699cc5a9b27e6

SHA1
5093960cc86613e310d13770b5adef00fe93f3eb

SHA256
3caf4a246169b2d30c6bf18fa0b7a4a01bbe933cfb781f3da4c6b3cb67b59d04

SHA512
47dde07212c2d5eea548d7794fc6bb9d86ced9a0848aaeab81fa8844fc5cab7eac58e386e96a81c663b914c85c0a7116033e2b2cfd18559d40aa6c83f9a6c024

Download Submit
C:\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.7MB

MD5
2de3f7cf6020b3bb6bc4199459a63016

SHA1
8a30e5e333a353eb069ab961a4c1918fcbb44623

SHA256
f649f4a1d41cd442d5e3f079b1677442a2123eb494bda58ef866870b25915d7e

SHA512
5d1e016c731dd1bfaaf24fde9da4f453f71773a71db956290809eb82064fa0307874cd412be6ad98c4fdbb36e94cd8ae7aa27341aaa1f9f3f9e696afe0cca56e

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
8ebd46495dd3b4ab05431c5c771d5657

SHA1
e426214322a729faddb5bc80053af5750c76683b

SHA256
70c39d5d5b16640165de19cee80da4a391035108cbc5f5009372a86954f0fe92

SHA512
53afd923f583eda4db580935a8cdd62413af8e830c04f2c12d15c55e905c114ec11a5e4483660601504c27e9350e9e47c6432f8f699464e11c5050fe846d7dc4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
239c03a3dc1c27993da724736d086cef

SHA1
ff88246f8ea3502873dcbdc622378f006c58a2e6

SHA256
b387e2fb971297d3438acca130c53dfdd202ae2ca5b52d6503333734cda4fbfc

SHA512
656922e8f2dec46ef36efba5c85088c47b02e89f62b27559611fcbe6ef85c6cd8462a4532e2d2d7f4faa977ab24f0de6f5f72e3075f8889db9e6e60baa162a32

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
6def4d3cf1453d5fb69d22fca29892a4

SHA1
09fe62653e55668de75a9fc5b64949ea81eb4991

SHA256
60c29f3c57c44c58daf69be797bfede31967b1ddfc9bb68cb7ddaa0acda67c8c

SHA512
ee4f3f5dd8a8aadde9cff8f8aca8a45fa419c36fd8a4a7d3af9b71e1f7e5d9e1d01c329c70e6da53238822b536e35224e55004bf2e1af4ec17d5b56ccfc58549

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
2fe6613e267857982d7df4368c9827ec

SHA1
d520c7427b283e3ff167b850ab15352e46d328d3

SHA256
2eba5f3f0b0dbcc2cd69c36c220a2355d1ba3cd67b6e25b5846c80e1604bcac0

SHA512
cf2fc8978adf54dce5700eda7d8beb4917c89bf5458131171eab95463e1b3a3315770f4baae07e498e8e36a8478f09e27054ca2d06b4542c86d8459360572be4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
594be5b10d9f551e551cf20eae0e6dfc

SHA1
191c20f5cb0c27ecc5a055fa2379694f5e27a610

SHA256
e350ca62e777da4da6d25885be96d48e7ce3acf021a74f2a4902354a1bf03fbb

SHA512
e27bf6593a177c22e16ddf5a44d82b34b02063645a7fd63943b936028d9c433c89628038768a300c296c2d3bcab2ef6b8532a19f7283952d041865c704f62b0b

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
da69785dfbf494002f108dd73020183d

SHA1
34bb6061cdf120e7dced0402e588c3f712cf2dc0

SHA256
8cce22e7f13486f2bc612dcc8fa31d81038e6084a350fa10299d40c3a7f878c8

SHA512
db773783b63ed1d66a59272e05304c174b69f85d2838ae8049dffed6b6b30c2011fd9042dd652f9a1733a2b6891870b426cf1985d41921e5360c9b1ae1330e20

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
395286db3e67a59868e2662c326c541a

SHA1
716014d76622612a1bde2d4e1744d024f6d0b830

SHA256
02e48ee4e10354a2b2741d2e57ef565404753779f847906b5ae5c98ede06c01b

SHA512
64cdf1e6701ea57474051e338eee74859fc0ff4acd71ee0718a9b8cd698e94a9793c1901b6791fc0fc268c53fbc1e7e2f94ac1024f3f8765bf713954c194b0fe

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
b9e30df8cf272813b121133fcf259752

SHA1
16706f982f16d5feb9c808f94b8cfa50c23f5d80

SHA256
88919d7be26fb3e06401fc0254733d92fd743ecc56da4177b41613e1f094c3e8

SHA512
7beb65c0477b02742741a8ce23557f4f15e8cf1b1ef03a6bbadbf594bdf2cd686d7356d93719111d27b309a10ca75846765a13bb3eb4d0411785dfb13a675fc4

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_korean.txt

Filesize
4KB

MD5
d75580775d67a85353189736222a8878

SHA1
ccb2275c8f5d119640064fd533ca15f30d93f331

SHA256
10720923c1048502c5191d6d1d8580e35e707b24d457941dae94a87371af989a

SHA512
757dd94a1e3debb2520855a3d00e44e3a98b5764caf9c16c8d088fc1a1f1024eed742f1051635721f4bf2c00d1dac11fd975c09a7f5df78d1863de88f9bbf9fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ee1c6757da82ca0a9ae699227f619bc

SHA1
72dcf8262c6400dcbb5228afcb36795ae1b8001f

SHA256
62320bde5e037d4ac1aa0f5ff0314b661f13bb56c02432814bffb0bd6e34ed31

SHA512
dca56a99b7463eddf0af3656a4f7d0177a43116f401a6de9f56e5c40a49676cea5c38b6c458f426c6bff11165eec21104cfa9ca3e38af39d43188b36d3f22a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d62cefeb0c8fbab806b3b96c7b215c16

SHA1
dc36684019f7ac8a632f5401cc3bedd482526ed7

SHA256
752b0793cf152e9ea51b8a2dc1d7e622c1c1009677d8f29e8b88d3aa9427dd01

SHA512
9fc3968fec094be5ca10a0d927cb829f7f8157425946ebd99a346b7e63c977cb3f37560af1a4bc8f87ab19b43b3ed86fd5b37f89d1a9b2dc86e3c73142c3065b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2004249c3696d26d03138a0e4475ee4a

SHA1
aa7edacc18ed5abc12318d9e3f03dfb1ed1a96c1

SHA256
44308f2e0ddf1336826b136581dc83dcf4bae4081be9833fb9317787e0424573

SHA512
e691bdbaea8504a6b306d68425998fa67bedfbc6e1a7a1ee18cf670da1251e9a577d82e8a4e3566005579a444488cc288c369e02cf4222e1eb34302983213264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
65e3ed6518fdfa8c1211812db21ff92b

SHA1
9e694d0d7c8b8d23a82c2721c4f0ab57bafcda8c

SHA256
336d0e3edbe5e853c154be2d70dc312da96dec3135c9eb6fa44160e8652dd937

SHA512
678b02cf2f9920d4772aec3739852f13897925ac47ff05908e6052278d97e0ffba92fbf953a0a976f1caa794c88395b53728a9e97be7aa011620f927efc7207b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
da27a0020e266936a736f39e7d2f5145

SHA1
41b22805923fd48f818483873929e67ceabf448f

SHA256
24a929a4cb3a73b3fd1b54d4ecba3ec7cb0f852228c55b83e5e41f703845d02e

SHA512
79f26d8c228c2556dc8a46e3a009cc904a0302f2a9b502b401b969d6ebd005ea5a751049bc4ab200be6b6559de178d475916db49ec29a8b2ffa1534428ef01ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27007d9314df4255ad9ee78db51091c1

SHA1
1da6ddc2888ab23f1a1221f479a2130682bf2ced

SHA256
4ff1d59c2a2e5c06c6e4c46c4feb2e2e11fff9ffb68520c7da3fc696f659715e

SHA512
f54fd6128c54f2df097986fc6e1505384238f7afceccde747c9edfed85835ba6dc8de316f8a888045cb66bf066dbccd1b4869997eb582e1dcaf47dfe1f459de8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0ec7d8844f0883c83fc78ed4cc1bf3c9

SHA1
511d39ce48d9bbd43ef0633f31ea48bf8986a83c

SHA256
a2ba118fa30556a45ffa0cb19c35e5688f76715c39cb730f44ccf64a84e889ec

SHA512
88e2129f05efe720810b2b69f355c4b3abb23e2acc8e156aacfe7fd85c7fd05e2379de5246f11a12f0364a686b3e136124016e8e48492c3477e8f80cced0964e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9407886afd277797273766bcca137f8c

SHA1
863917afe368431d3f52a768380700ae8ba3a489

SHA256
e080f555ffa216cb35ffffbe97d916dd4e7a6e200ec13ffc89fda18a6be6a78c

SHA512
e5e580785179cbef1b1a8146e17431ea1406885c8b22ac26384757563cfdb5f41c75b80ee01132a718351de07b57dc5be6bf05078923d652f28d1de878eb94b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8cf07583d673f596733f77055d18443

SHA1
1197493daff7be983c68e77839e96c1fb55f7e0f

SHA256
1e9313d1e57602005e4e7cb3ceb19f1607c98e2493ae419c669ddaac8195b20b

SHA512
d2d706657c53d6f696f9c2a1b2db78a0191df3959ce819920d00f14a033406cc5f3c9414e48464d6933aecabadaa96a6da78ee8f66fae9841c2fef512ab6c08d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
4178e6be703a0c6abb5ee8143fb7c34e

SHA1
ece32484505981e22e7d5e4ecf38d8681f527dfa

SHA256
89161bb2f0018be5947035540a1cbfd6f8e4676b7d373f2fa239acc22085503a

SHA512
977c6287cc7882508cf97df54af35e3c93f1515acf2c11aedc8efe20a318051f8accf8309090df6325fbc8856cf484d0df6bbbadcb11b6767d6b26490c7dfb62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
766c8174bf28e594692f3c09bbdc101e

SHA1
03f5ebb2a3c09ae0c51ea3f2ac1b96d58189fe2b

SHA256
73cf40c3f7c7b7be971d1ab3067d7edf59df5f31523efb6a9b02f932fab4327a

SHA512
db3b239ab2043ccb5773054f4489e8e9a9c332c9fca7236cfbed7d0cf63442d023fcb672610e7d27209d39ac3f3f31dcf5403104a91f8d40d3fec6021ce25dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
78075229ac5b7500e3b74de37527539b

SHA1
7c6b4438b8fc3205695b476164f6403b466f9e47

SHA256
3d17397c891761d16706e2d8eaf740f752b6394d6704e9f2330ee983ae466c1f

SHA512
11d51520e0a72991251fe76945373138a66f6ae6f4b9d90d8df194afa65aa90dad2edfd0bf4147d88e2e1e7e4f136d063cdbdd27c77b76639392d49f37d0a590

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c9ea6335177635516975882beb00851

SHA1
644ea7270331a0b4733b9cc865ccfdf4d627fa24

SHA256
bf37c0de5e3719a216bc738aeddd3b3833d706c264e34389cff94a38c5934feb

SHA512
ec98364c29235c794aa052a0e3fdb5620be7472c47ed324b0257fab401f4d4c39494ca4c799a29778ca31f4636e32a72215d1c115d5b52cd4b6357407fb0def3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fd2aec6c7719f95113619d8bd525a1d8

SHA1
0f1858125349d570acf0ba65d5f4175f7bb21a6a

SHA256
502a7552b730aa55a06a1936290ed57d6d3f923e7a88510c6b3227f21a8ae672

SHA512
d75d532ea06bb9008a780b7501eedd34dba35d2da290b6ff3dd0e556994d7b00ca0056b22aacfb00c5e6e51bb4d3430ff333ffb463fd5e230ff73cb45f968ffb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp676D.tmp\System.dll

Filesize
11KB

MD5
a4dd044bcd94e9b3370ccf095b31f896

SHA1
17c78201323ab2095bc53184aa8267c9187d5173

SHA256
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

SHA512
87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp676D.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp676D.tmp\nsDialogs.dll

Filesize
9KB

MD5
0d45588070cf728359055f776af16ec4

SHA1
c4375ceb2883dee74632e81addbfa4e8b0c6d84a

SHA256
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

SHA512
751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp676D.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp676D.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 968814.crdownload

Filesize
2.2MB

MD5
70f3bc193dfa56b78f3e6e4f800f701f

SHA1
1e5598f2de49fed2e81f3dd8630c7346a2b89487

SHA256
3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

SHA512
3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

Download Submit