hxxps://getfiledirect[.]com/?id=Steam%20CE_45680874

Analysis

max time kernel
600s
max time network
605s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://getfiledirect.com/?id=Steam%20CE_45680874

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Steam CE_45680874.exe

Executes dropped EXE 6 IoCs

pid	Process
6020	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
4960	Steam CE_45680874.exe
3892	setup45680874.exe
6100	setup45680874.exe
2424	setup45680874.exe

Loads dropped DLL 64 IoCs

pid	Process
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Opera GXStable	Steam CE_45680874.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Steam CE_45680874.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Opera GXStable	Steam CE_45680874.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Steam CE_45680874.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Opera GXStable	Steam CE_45680874.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Steam CE_45680874.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	Steam CE_45680874.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup45680874.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup45680874.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup45680874.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 470357.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5048	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
4504	msedge.exe
4504	msedge.exe
3508	identity_helper.exe
3508	identity_helper.exe
5892	msedge.exe
5892	msedge.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
6100	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
3892	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6100	setup45680874.exe
6020	Steam CE_45680874.exe
6020	Steam CE_45680874.exe
4960	Steam CE_45680874.exe
4960	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
6120	Steam CE_45680874.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3892	setup45680874.exe
Token: SeDebugPrivilege	6100	setup45680874.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
6120	Steam CE_45680874.exe
4504	msedge.exe
5048	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
6020	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
6020	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
4960	Steam CE_45680874.exe
4960	Steam CE_45680874.exe
6120	Steam CE_45680874.exe
4960	Steam CE_45680874.exe
6020	Steam CE_45680874.exe
3892	setup45680874.exe
6100	setup45680874.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 868	4504	msedge.exe	88
PID 4504 wrote to memory of 868	4504	msedge.exe	88
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 1444	4504	msedge.exe	89
PID 4504 wrote to memory of 3324	4504	msedge.exe	90
PID 4504 wrote to memory of 3324	4504	msedge.exe	90
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91
PID 4504 wrote to memory of 3616	4504	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://getfiledirect.com/?id=Steam%20CE_45680874
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae68d46f8,0x7ffae68d4708,0x7ffae68d4718
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,18152206253269878976,51820235863585814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5892
- C:\Users\Admin\Downloads\Steam CE_45680874.exe
  "C:\Users\Admin\Downloads\Steam CE_45680874.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:6020
- - C:\Users\Admin\AppData\Local\setup45680874.exe
    C:\Users\Admin\AppData\Local\setup45680874.exe hhwnd=1704330 hreturntoinstaller hextras=id:ad413892c2b60f5-RO-7u0m5
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6100
- C:\Users\Admin\Downloads\Steam CE_45680874.exe
  "C:\Users\Admin\Downloads\Steam CE_45680874.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:6120
- - C:\Users\Admin\AppData\Local\setup45680874.exe
    C:\Users\Admin\AppData\Local\setup45680874.exe hready
    3⤵
    - Executes dropped EXE
    PID:2424
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    - Suspicious use of FindShellTrayWindow
    PID:5048
- C:\Users\Admin\Downloads\Steam CE_45680874.exe
  "C:\Users\Admin\Downloads\Steam CE_45680874.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4960
- - C:\Users\Admin\AppData\Local\setup45680874.exe
    C:\Users\Admin\AppData\Local\setup45680874.exe hhwnd=66098 hreturntoinstaller hextras=id:ad413892c2b60f5-RO-7u0m5
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
60ff11fde88c9e1b211d6772bcdd7737

SHA1
101a24028c8f9d2d5992e68667fe2355b0367edc

SHA256
a98fb7f006856d16342022f9c65b78f844ff9e6ca2a7eb04f4b7e840f0f1db20

SHA512
be724459aeb96a074bfdc681a030de65c74f94b8e3624adfe4dc549d7709869f3b17c05e196e029d7a413a8608dfe4f6d47c65e8f4615056f302c3a414915477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\700B9980BA1F8C3D19B9578F56B7386F_345749F8109B3F0DBE7840DC04B120E5

Filesize
471B

MD5
981ab5f50cf2089d88d1802bc2285d4d

SHA1
a306a1a80ebed1bc9ed002c21963672a1c8b3d44

SHA256
aa304a17a066058c7d56dc97689cf4b68ef2f2b287742dfce12def3fbd662d83

SHA512
894c688f9a874ec6a6da35acd91470a672c70e049a676a4b23466d13f5e23821ac771868116e8b000f21e6fa160c1fd41634106ad9f05da195def040d0a2554f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_45E3C223BCF135987E4038FB6B0DBA13

Filesize
724B

MD5
037ae8164352ca91e80ad33054d1906d

SHA1
1d6520e9f51637e61ee4554393f5ac5eddb18ebd

SHA256
07c018eb07002663d5248daa8a65eaf587955e3db45735e7e3ac9cb13d7d664e

SHA512
a092a9e43bb47bdb0e081bd4f2c0ef7c6f0ab9fbe3babd624d577186ba52e52e86209a527ced887275b74aa127b03e83c476a2a39a1d6dcf0ba1d024e7bd7730

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d6ec341790ae299f1f9dab4d8f864f7b

SHA1
106050c57bc1bdfd724e9332358cabc0fa6b0757

SHA256
c38e308cb934a43152aa5ebacd3104331f9abb3c8b1fa9ba4bb129de65ee4db8

SHA512
d82a416bfc26deadfcae281024968cf457189c5aa5d27a8bc41dcc58d21a8695c564fcab380581efc6194274b0a263f127169299b6761f0a2541e25d3416b1f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\700B9980BA1F8C3D19B9578F56B7386F_345749F8109B3F0DBE7840DC04B120E5

Filesize
430B

MD5
71e196e2d05c033f26f263af2a2b0683

SHA1
4235da4963f6e0f95ab561bed37f8dba4aade797

SHA256
02af97aa7b8c00f21f0148d964416e6b749dc9ba7c2fb9211dd8b5fdb9c071d1

SHA512
ccd1114002499cbf864587b8ba33865dfe315d030661f55b307306e1628105d8dee925d60cd0d5de25595f378fb86eecd1f6601a4c600b48440875595751b58c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_45E3C223BCF135987E4038FB6B0DBA13

Filesize
392B

MD5
11bd23af7a68746666f04a432d1bc86f

SHA1
1af424dd655b7d1242011f6c4d2126e5f6837929

SHA256
3443f794eb29cd13940712f5acf7c2aad06518a27a45d5fa4ce682499afdd0fc

SHA512
8a42d8500de375aca7c658a4234ce38056953d8243a2a357698a473d12c4ff9e57d064bacdcc66b243fd590cbe93eb5466ed378086393d87ab14cb4bca68310d

Download Submit
C:\Users\Admin\AppData\Local\DT001\setup45680874.exe_Url_a4ylsi00mkngpa2sdhnz2lij315vwnbo\2.0.5.6649\ebdbvatr.newcfg

Filesize
798B

MD5
f3da41e2f01ec12a28efa662df2fa963

SHA1
9760227f497132829ec34fffec6184969043bba1

SHA256
a4544f806b5637e45e2e702c7997d0b6a52b805670a72aac518d189c3004d1c2

SHA512
ae4f56f93a2386abe8891ba5ba1cc7de166a28c6a2f3913870bed2926ac43469bbbf0b4b18acf2fce7c7f120056e36b3777aabbdf9715cc12d2159403e392e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e494d16e4b331d7fc483b3ae3b2e0973

SHA1
d13ca61b6404902b716f7b02f0070dec7f36edbf

SHA256
a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165

SHA512
016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0764f5481d3c05f5d391a36463484b49

SHA1
2c96194f04e768ac9d7134bc242808e4d8aeb149

SHA256
cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3

SHA512
a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
185B

MD5
0c18106e38c0ba778b37e7572d040b8f

SHA1
cde9ccc7090da7daf677aa6814ca387c393f43c9

SHA256
2d637596ae436fb152889be4032d54cd567e3843e9449f29715bef0c3b0f0a29

SHA512
100334eef42852d555c6e1d39151095a5c5d7e28751af2f9119088c3a873a7d4409f4337716c1f833e0cacc4ad8a00da6840b3eefdec066bbc508153bd6f06c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
edd55cce8dd6838cc9f00ec5dd198549

SHA1
af577618ef272ebd94a8ab6d8ab1197239e656e4

SHA256
09111326131e99e65438d2496698b3faf9c8371e9f58ccd5d6e9e922cca45da1

SHA512
e7578607f53878f029ab0c625d5059a55cc71e01ccdc88a89413e4c5ee8d376d0859a7dc9905906de005de5c95c9ddba6e65410706106bc3a6da1fa5d0d7e84a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1562b9aa1c698323b3febd8015229843

SHA1
664c8b3c63e65d53804b6225aaf3e05befcad921

SHA256
a5831ae22d17971d5e99c33b7da804da1717a1087020d6437f28a2985907b240

SHA512
97eb1e51ef07b6565d3fcf05dab229ad59b62e96cb2fb11bb90d05288575e30cc96229cedd8ec6f65eee8cddbef330598355024910e0d69decd50eb1766e751f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5c3038b69d794a23486bd34745d58ffe

SHA1
e9b934e4d87caf9d84a0b116d9ffe38118bb6c4d

SHA256
3e85f951282f056f0be51cbcd4e76bdee5c76d468b2bf634922b2782ba5a375b

SHA512
1c19edecf73638182b925133156e60100bcf49ed7384d48e63df8e802d20087fc7bc517e6489d305f22c67916bcf0dc613320c5b177d6d708a3b32ba855482a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1215eba1c66511e43c6c6fa4e0de9d73

SHA1
f2e97b08c9802fe616e8b63494c40b79ca157031

SHA256
ad20d602a2fc9690520b320c6c9ac73aa39305981fb2ef0f5aff005bdd743031

SHA512
3d5f22e1b46e98ef94f543a403b115f5a55372570a272f509d51ba1a17abf50e92eb7bf1aacaa096640aa7adb7cc4823addee4fc90e6310d4f5cf1b5803b6aa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3960045708bfae3109c2c180c0bff00d

SHA1
01687c4fe739c37df1a068943ca15f92f089ca07

SHA256
7d74f9e40021b86c804fc4a0edadcd45919f8615450b3d81ecb2adeb480c8465

SHA512
d19fafae324f8184bab653cd70e6cc3602d5a40c8e19b645c6f5b6dc9325f1a269fd5fab07a50047c0f48c08e41a4785680ef332a6ed655c4c4ab881bbbb432d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0ac7b97c444021ed988082358f3a27b7

SHA1
58afa41d1abe514abbe3c93db711cfd5d12aa990

SHA256
2eff6bd8ef3112225bfb6a8e69b74b38ee3a25274327696907eb0c4f5f40e34b

SHA512
7e61c5049092f4be91f7e0c5d686b2e1fc8e66d6e588f8b05cda834d25bfc78b6bfb590061215977cbd04ff8fd644bf2f547299b4da3c0559f67a10048192b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
e2686230301860d2bad94d4c477a7300

SHA1
c24a2302c5cefd420bdd1256ab67dddc3c4c8415

SHA256
66ab5b5358b40d4a81901f51678e98e8f0970bc4630024ad4314c2fa65b3ef6b

SHA512
b4be1225e2fcbd371e7e1f80e5b568bef1813e992692e63c4db426d22a6ff061dcc763a159505a733bd92897b7e8ec3aeccaa884df7e5ab22eeed825c97c502c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
3.2MB

MD5
be4c0783ed8e9b6334bd60eb5726466b

SHA1
30131ff740358327d9d683235f5a97ea9eaef349

SHA256
e8184aa4f2f90379af91a212888411fbcb379ec1e927fe306cf501b7ab9e1f93

SHA512
15d61f82da44378eead14969206136d756dfdbfd7bfa18cd00569a4d0dbb68977e47d15192db732f7d2ca0477024c62256a906a90a59284633bc60bb7e93549f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

Filesize
14KB

MD5
29f92ceb3ec01d32c974de6cd3062b56

SHA1
aee29b9aac32753dbcc8e63d89810a492fb2322e

SHA256
d2f0487a054ff6d990eb708b5f5c30ffc4e8a6943ad4fbffd7aef48767b42cf6

SHA512
7f5326dd974d9960ba1d1471d0f0568e2c2dc9f7e34f9b6d7dea20086a233405d36e69e3bf2b492a9a211a735c37e09b9a72d4b85475ac0bbe3c66999876b3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

Filesize
64KB

MD5
6dd599a137f90773970a60e49d90073f

SHA1
151f9fcbd9043b731f444539ff0399aaeaf17543

SHA256
e33066f1b450ba62efe72120c5c2c9da34bed3008d4667e837c8231c159cea8d

SHA512
06c6eb967fc59b14bca9868349a9304a0e3196f99c40378678b1085e4bb58aae585291b89077900cdb6799eecb77a7de59bcc9339001365e01facd547bac5a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

Filesize
14KB

MD5
d50321bf0829b78774b5a8e1b051b56b

SHA1
3b4234d2dcc21481e3b5e57ec6e6d13d0d382648

SHA256
ff0f8d3e255e6a6117b6124848a3a835d7a23bfe5f607291423644dd6df02faa

SHA512
345f0454a7dbd2d480e17025d81b74b260606230473181dfd5dd5bea9a78ce4c74b9e8f39c5d166463799dc4e5af7bc273cc10c086dff8c2a49ddd94a78be7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\setup45680874.exe

Filesize
2.8MB

MD5
524e2d977636c2e39cc2b2a9d3363668

SHA1
257b93ddf6ff1ba216b6745a1f6a176636f2c45c

SHA256
0a4aa67b220d5cbfcb59b7d1a9deae9b9cb6e56936db67f55f95ddc5c576be70

SHA512
24672434af4de0a7079e86135a472cf2bd8bb07278e39c8d180a47caf6937456f3812b55697900f99ab9b85d07b4e60333c5500266bbfbd4a776a5201cd08a61

Download Submit
C:\Users\Admin\AppData\Local\setup45680874.exe

Filesize
2.4MB

MD5
7776f80edd6a9fd3c48ecbf0c47f730b

SHA1
509b85adc3ce85cf5dee8a760f85ba71d4a3aa92

SHA256
247f0905b80a49df13580900641061ddb4e5a424c2db54ed81d036c34a55e639

SHA512
39075850ce6a7673d40b7d70ec14467f792123589190ed4d303201780e41f174374fe46cfc0642f0a444c7f1cf9ca34468d09d205277b38e614e703f2ccf737c

Download Submit
C:\Users\Admin\AppData\Local\setup45680874.exe

Filesize
3.1MB

MD5
93021cc927c8f27f486b1bdcb22b8b23

SHA1
1ce6aef933d33daf68a6d170e9a9f4f586e2322a

SHA256
3f115e45dd1029daccbfc2a8bf196c271e6012c2c7a6df593a91944808db3ade

SHA512
2e4657e6643de71be68106e8cde79e9e7e7be0ac33d7246456bc6d0a6dd762c0d40987083249079a0cf04c691bfc05a32e0ce2b81c3950e490f0543a181f16ef

Download Submit
C:\Users\Admin\Downloads\Steam CE_45680874.exe

Filesize
8.7MB

MD5
80020319b9381bb8c65c9002cf14b04b

SHA1
23766dc2a3678c34437abd778cec977025600fb1

SHA256
1a7001a880afd335506b5b36314dac0bd4568558c2cb4ab4059e415a9d3bf014

SHA512
70b2f42baba691856f695e73396466f63c51f31f3a4e4011faa508d682b6e456373b81bbc30afc2d2553c711b47c68215fa81046ae4faaae6aed6ce5703b679c

Download Submit
C:\Users\Admin\Downloads\Steam CE_45680874.exe

Filesize
640KB

MD5
5dac57f471228943e64782cb1ea0db17

SHA1
8a2302211b2031963b50f9c112c3179661e22ffb

SHA256
f3c7322b255436430ecee801acf1b4c7012856252fee2703e6c73323778a0ddb

SHA512
794be91a4913c6d948859bec16078f16d66fe9ea40370afa763ecfdb0186b1489938da5c0907c02cb0d23adfe3c7b447457ef96803217ab7c965f91c8a1de0fb

Download Submit
C:\Users\Admin\Downloads\Steam CE_45680874.exe

Filesize
3.5MB

MD5
a278e33b85674378058603aa72be3483

SHA1
e45ee43f7019efaba6c628dcdfb57c5947ee3037

SHA256
21005fccb5d916b06a9f6300a5efce204c11c8fca6b791b817f1488f9702bc6e

SHA512
9c87a6bf5eb846e96f7eeecee9559976d620f8f7ade38ee8a9976b4085625c21b04ab6e6ccf04835f63740bfea25283980b7d9c249389186099128418008c04b

Download Submit
C:\Users\Admin\Downloads\Steam CE_45680874.exe

Filesize
190KB

MD5
bb13d37df7babcfa73f6ef92e57a666c

SHA1
a9d170d588c959dbcca9d91e432f88f3950b7798

SHA256
3e4a355bd33f05a8092e3d12e7b7ba992ba7dfe299b430308e8fc2d321fc713f

SHA512
c2443ba6a4419a061f9b513e4ed74f8b88625a79f19552637bc46ff2baae3ffd6f4d10a1a466e7e3b6057d075ada06dddedf4f794fe044562400b085bf9b942b

Download Submit
C:\Users\Admin\Downloads\Steam CE_45680874.exe

Filesize
7.2MB

MD5
0a5f84363d917627e2df41cb69dd027b

SHA1
fb7b844f11e8731ac774d1efcb13b3fb7a2fea51

SHA256
0fc5e7ad6c5b02a931895231e537b8c0fc637f7f0909eb5303cfe425e9b590fe

SHA512
47cff16b2a664a59e40d545e9a82b738b8df0f3bd96438bedff256f04f6ec74ad3084b28134e2e77882bc55ca2160471bddb39bc1a2a5b4377246d424c58740c

Download Submit
memory/2424-446-0x0000000071C10000-0x00000000723C0000-memory.dmp

Filesize
7.7MB

Download
memory/2424-447-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/2424-451-0x0000000071C10000-0x00000000723C0000-memory.dmp

Filesize
7.7MB

Download
memory/2424-452-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/3892-248-0x00000000058D0000-0x00000000058D8000-memory.dmp

Filesize
32KB

Download
memory/3892-257-0x0000000005920000-0x000000000594C000-memory.dmp

Filesize
176KB

Download
memory/3892-221-0x0000000005800000-0x0000000005832000-memory.dmp

Filesize
200KB

Download
memory/3892-210-0x0000000005760000-0x000000000578E000-memory.dmp

Filesize
184KB

Download
memory/3892-222-0x0000000071C10000-0x00000000723C0000-memory.dmp

Filesize
7.7MB

Download
memory/3892-229-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/3892-296-0x0000000006670000-0x00000000066FC000-memory.dmp

Filesize
560KB

Download
memory/3892-279-0x0000000005F90000-0x0000000005FA2000-memory.dmp

Filesize
72KB

Download
memory/3892-302-0x00000000065F0000-0x00000000065FA000-memory.dmp

Filesize
40KB

Download
memory/3892-228-0x00000000057E0000-0x00000000057FA000-memory.dmp

Filesize
104KB

Download
memory/3892-308-0x0000000006870000-0x0000000006892000-memory.dmp

Filesize
136KB

Download
memory/3892-309-0x00000000068A0000-0x0000000006BF4000-memory.dmp

Filesize
3.3MB

Download
memory/3892-236-0x0000000005870000-0x0000000005894000-memory.dmp

Filesize
144KB

Download
memory/3892-265-0x00000000058B0000-0x00000000058CD000-memory.dmp

Filesize
116KB

Download
memory/3892-345-0x0000000071C10000-0x00000000723C0000-memory.dmp

Filesize
7.7MB

Download
memory/3892-242-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download
memory/6100-234-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/6100-337-0x00000000071E0000-0x0000000007272000-memory.dmp

Filesize
584KB

Download
memory/6100-343-0x0000000005EF0000-0x0000000005F1E000-memory.dmp

Filesize
184KB

Download
memory/6100-316-0x0000000007430000-0x00000000079D4000-memory.dmp

Filesize
5.6MB

Download
memory/6100-344-0x0000000071C10000-0x00000000723C0000-memory.dmp

Filesize
7.7MB

Download
memory/6100-313-0x0000000006E50000-0x0000000006E5C000-memory.dmp

Filesize
48KB

Download
memory/6100-320-0x0000000007FA0000-0x0000000008554000-memory.dmp

Filesize
5.7MB

Download
memory/6100-151-0x0000000000B50000-0x0000000000F28000-memory.dmp

Filesize
3.8MB

Download
memory/6100-152-0x0000000071C10000-0x00000000723C0000-memory.dmp

Filesize
7.7MB

Download
memory/6100-174-0x00000000058E0000-0x00000000058F4000-memory.dmp

Filesize
80KB

Download
memory/6100-202-0x0000000005960000-0x0000000005988000-memory.dmp

Filesize
160KB

Download
memory/6100-191-0x0000000005930000-0x0000000005954000-memory.dmp

Filesize
144KB

Download
memory/6100-217-0x00000000059C0000-0x00000000059E8000-memory.dmp

Filesize
160KB

Download