5d8d697707c89466cfe203bde7e242680d020646bd5e49edaabd67fc6a7d6321

Resubmissions

08-05-2024 20:14

240508-y1cebsfh84 5

08-05-2024 20:11

240508-yygw2afg78 6

Analysis

max time kernel
123s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamSetup.exe
Size

2.3MB
MD5

b1f4bc644f535c745341de0303631d9c
SHA1

8d66e30416004cc2e98334a276c181ae1e67be55
SHA256

5d8d697707c89466cfe203bde7e242680d020646bd5e49edaabd67fc6a7d6321
SHA512

e3fc8eed9061dd8c555a26c29436c7c5218c6409096e37d11b34edcab448d5c3e9f7dff5e5c5ab2a0e3ee96da666b3be7f2b3f028fc122f35f74c51518aa0d44
SSDEEP

49152:GDJvIRwCA97eXdXY1/aq95f9zRsBON2VGabSV9MbHv2XR3fHuc7ZEG5:vWC2KX5Y1X95VzvwpWVKrJW

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_ltrackpad_down_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_outlined_button_triangle.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_dpad_touch_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\ssa_french.htm_	steam.exe
File created	C:\Program Files (x86)\Steam\bin\SteamService.exe	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\licenses.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\achievementbg.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_ltrackpad_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\subvalidatecontactemailintro.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\sounds\deck_ui_message_toast.wav_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_down_disabled.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\c15.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_rstick_click_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_outlined_button_b_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\xbox_one_greek.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_color_outlined_button_square_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\GameOverlayRenderer.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_l4_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_button_y.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_rtrackpad_ring_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_060_vehicle_0160.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\glyph_x.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\steamui_japanese-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\gridview_mask.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\wasd.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\offline_hungarian.html_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_030_inv_0120.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamclean_japanese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_r2_soft_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_button_steam_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\emailreminder_close_hover.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_r2_soft.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_color_outlined_button_circle_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_color_outlined_button_circle_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_ltrackpad_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0356.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\steam_spinner.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\steam_controller_turkish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\xbox_one_brazilian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_color_button_a.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_r_touch_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_outlined_button_circle_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\Receipt_Purchase_Refunded.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\icon_steamvr_desktop.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\steamui_postlogon_dutch.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_left_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_button_x_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\lv.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0506.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_tchinese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_dpad_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_rstick_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\tabSquareTopRight.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\steam_controller_koreana.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\steam_client_win32	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_090_media_0302.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\loop_7.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\chord_neptune_external.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\menus\steam.menu_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_l3.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_down.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0317.png_	steam.exe

Executes dropped EXE 17 IoCs

pid	Process
2780	steamservice.exe
2964	steam.exe
2428	steam.exe
1948	steamwebhelper.exe
1476	steamwebhelper.exe
984	steamwebhelper.exe
1652	gldriverquery64.exe
1980	gldriverquery.exe
2716	steamerrorreporter64.exe
2644	vulkandriverquery64.exe
2472	steamwebhelper.exe
292	steamwebhelper.exe
2952	steamwebhelper.exe
2456	steamwebhelper.exe
2008	vulkandriverquery.exe
908	steamwebhelper.exe
684	steamwebhelper.exe

Loads dropped DLL 64 IoCs

pid	Process
1884	SteamSetup.exe
1884	SteamSetup.exe
1884	SteamSetup.exe
1884	SteamSetup.exe
1884	SteamSetup.exe
1884	SteamSetup.exe
1884	SteamSetup.exe
1884	SteamSetup.exe
2964	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
1948	steamwebhelper.exe
1948	steamwebhelper.exe
1948	steamwebhelper.exe
1948	steamwebhelper.exe
1476	steamwebhelper.exe
1476	steamwebhelper.exe
1476	steamwebhelper.exe
2428	steam.exe
2428	steam.exe
984	steamwebhelper.exe
984	steamwebhelper.exe
984	steamwebhelper.exe
984	steamwebhelper.exe
984	steamwebhelper.exe
984	steamwebhelper.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
1948	steamwebhelper.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2428	steam.exe
2428	steam.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2472	steamwebhelper.exe
2472	steamwebhelper.exe
2472	steamwebhelper.exe
292	steamwebhelper.exe
2952	steamwebhelper.exe
2472	steamwebhelper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steam\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steam	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\steam\DefaultIcon\ = "steam.exe"	steamservice.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1884	SteamSetup.exe
1884	SteamSetup.exe
1884	SteamSetup.exe
1884	SteamSetup.exe
1884	SteamSetup.exe
1884	SteamSetup.exe
1884	SteamSetup.exe
1884	SteamSetup.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2716	steamerrorreporter64.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe
2428	steam.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2780	steamservice.exe
Token: SeSecurityPrivilege	2780	steamservice.exe
Token: SeShutdownPrivilege	1948	steamwebhelper.exe
Token: SeShutdownPrivilege	1948	steamwebhelper.exe
Token: SeShutdownPrivilege	2716	steamerrorreporter64.exe
Token: SeShutdownPrivilege	1948	steamwebhelper.exe
Token: SeShutdownPrivilege	1948	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2428	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2780	1884	SteamSetup.exe	30
PID 1884 wrote to memory of 2780	1884	SteamSetup.exe	30
PID 1884 wrote to memory of 2780	1884	SteamSetup.exe	30
PID 1884 wrote to memory of 2780	1884	SteamSetup.exe	30
PID 2964 wrote to memory of 2428	2964	steam.exe	36
PID 2964 wrote to memory of 2428	2964	steam.exe	36
PID 2964 wrote to memory of 2428	2964	steam.exe	36
PID 2964 wrote to memory of 2428	2964	steam.exe	36
PID 2428 wrote to memory of 1948	2428	steam.exe	37
PID 2428 wrote to memory of 1948	2428	steam.exe	37
PID 2428 wrote to memory of 1948	2428	steam.exe	37
PID 2428 wrote to memory of 1948	2428	steam.exe	37
PID 1948 wrote to memory of 1476	1948	steamwebhelper.exe	38
PID 1948 wrote to memory of 1476	1948	steamwebhelper.exe	38
PID 1948 wrote to memory of 1476	1948	steamwebhelper.exe	38
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 1948 wrote to memory of 984	1948	steamwebhelper.exe	39
PID 2428 wrote to memory of 1652	2428	steam.exe	41
PID 2428 wrote to memory of 1652	2428	steam.exe	41
PID 2428 wrote to memory of 1652	2428	steam.exe	41
PID 2428 wrote to memory of 1652	2428	steam.exe	41
PID 2428 wrote to memory of 1980	2428	steam.exe	42
PID 2428 wrote to memory of 1980	2428	steam.exe	42
PID 2428 wrote to memory of 1980	2428	steam.exe	42

C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files (x86)\Steam\bin\steamservice.exe
  "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2780

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Program Files (x86)\Steam\steam.exe
  "C:\Program Files (x86)\Steam\steam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=2428" "-buildid=1714854927" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1714854927 --initial-client-data=0x224,0x228,0x22c,0x1f8,0x230,0x7fef5feee38,0x7fef5feee48,0x7fef5feee58
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1476
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1100 --field-trial-handle=1232,i,11425710568184518748,15412227537651619320,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:984
  - - C:\Program Files (x86)\Steam\steamerrorreporter64.exe
      C:\Program Files (x86)\Steam\steamerrorreporter64.exe -pid=1948
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1156 --field-trial-handle=1232,i,11425710568184518748,15412227537651619320,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2472
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1572 --field-trial-handle=1232,i,11425710568184518748,15412227537651619320,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2952
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1588 --field-trial-handle=1232,i,11425710568184518748,15412227537651619320,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:292
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1232,i,11425710568184518748,15412227537651619320,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2456
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1252 --field-trial-handle=1232,i,11425710568184518748,15412227537651619320,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
      4⤵
      Executes dropped EXE
      PID:908
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2368 --field-trial-handle=1232,i,11425710568184518748,15412227537651619320,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
      4⤵
      Executes dropped EXE
      PID:684
- - C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
    .\bin\gldriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:1652
- - C:\Program Files (x86)\Steam\bin\gldriverquery.exe
    .\bin\gldriverquery.exe
    3⤵
    - Executes dropped EXE
    PID:1980
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
    .\bin\vulkandriverquery64.exe
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
    .\bin\vulkandriverquery.exe
    3⤵
    - Executes dropped EXE
    PID:2008
- - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
    "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=2428" "-buildid=1714854927" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=1" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
    3⤵
    PID:2964
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1714854927 --initial-client-data=0x22c,0x230,0x234,0x200,0x238,0x7fef5ebee38,0x7fef5ebee48,0x7fef5ebee58
      4⤵
      PID:1876
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1148 --field-trial-handle=1232,i,12174381537690786456,3549780365587863053,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
      4⤵
      PID:2328
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1556 --field-trial-handle=1232,i,12174381537690786456,3549780365587863053,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
      4⤵
      PID:2560
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1508 --field-trial-handle=1232,i,12174381537690786456,3549780365587863053,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
      4⤵
      PID:1720
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1180 --field-trial-handle=1232,i,12174381537690786456,3549780365587863053,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
      4⤵
      PID:2624
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1324 --field-trial-handle=1232,i,12174381537690786456,3549780365587863053,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
      4⤵
      PID:2312
  - - C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
      "C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1714854927 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2252 --field-trial-handle=1232,i,12174381537690786456,3549780365587863053,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
      4⤵
      PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\aom.dll

Filesize
7.1MB

MD5
d764264518e77cc546a5876c3bcebad4

SHA1
ea17d45b396fa193a851bfd345e2b2c20ad60e12

SHA256
e78492de0ab575add50b925bfd44216d224d09904a9b14c17087a92fdcbc15cd

SHA512
7cf132ea5254a55c08186ffcf5e47360ef5ddd57d03d7051171f6753b22e3925304d183c2037bfd320ad56c08e079f9b2c4640db8cb3dbd38ff500c7a39e997f

Download Submit
C:\Program Files (x86)\Steam\avif-16.dll

Filesize
226KB

MD5
a09c5fa842fa4456a0b53b46f1050225

SHA1
9e4677f19e77bf55e7d0e2e82d8c27f79dbbd78e

SHA256
3d7ba6fedfdfd6e751693d718a21438304690b754d1c5d13c847a829b2423b8b

SHA512
71c962da6ed6894209891513bf9f0132a5eab6c65a5d9ba334efcaf73463be5625665a060863a106d59fad1949f6191f641aa4c59ddb0e825701bef08ef9b5a5

Download Submit
C:\Program Files (x86)\Steam\bin\audio.dll

Filesize
175KB

MD5
11c178694e376daceb091d0321a1ccfb

SHA1
c6526bc64f23d412a3a6eeaed0f5af7eaaea7f5a

SHA256
8feb103a5525f369403ce9460f939b93e3f7bb2a34cb7af53cc24200b1329ed7

SHA512
b735ef070dea53ee8af36e872afdbe66ee5037c31968f6045575f88f9ae9608ee1db87305e02f846ab99eea7616da0c706cf0369c8c9ecc0f7784ab9536eb872

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-console-l1-1-0.dll

Filesize
23KB

MD5
9c2202f9ebd8d2e8c90c93d3b0f433e1

SHA1
3d20c8f8428df16372e7de91a6d4f94b80aefb4c

SHA256
894842053591d4818bac9e1e476601cf39e4191b4bd0748ccb9f3c2711caa946

SHA512
b274b3f3dafd290f72351b36b9937445e78b6a16eb6cfa9a0b6de3cf11d5d809cd5f4095c2c4a05c16bdd1fb1be0b883e4c387ae8f7693eab958a63ce408097e

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-console-l1-2-0.dll

Filesize
23KB

MD5
0b2450ac7066b1aa6970cd4763bed6a8

SHA1
9cdc98d8a852c5e66c42e83edec21a1a2ab1d347

SHA256
9e9ee99c5fbe9a2a784d324b4bff06842874dbc33320c1fb02f063060d2d5c7b

SHA512
a1e0b0dee99c5d4ee03f15fa69436f41c965438b289eb244c8bbdec2de4b439e8ea60417ca6a37064b0aff023fbae5debb732e5e69027ca86623514520d6dffd

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-datetime-l1-1-0.dll

Filesize
23KB

MD5
880c1094ab4679600f77012712fcfdcc

SHA1
d92636752ceed77e4eb37967306de746953e375a

SHA256
65e57b5316eee1433c006adc6487c3ad3e17412b1a6d5a35ba518aaefd871bbf

SHA512
de8a622fd97bcd0a429c7a0874fc6dbeacb966e406dc519448ddfb420f584686a7a5ef105b4ac45a3a8de3bf0b7ed5b79ed62a92ebfceea3bceccce7298af652

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-debug-l1-1-0.dll

Filesize
23KB

MD5
df9bc6c6936655ed05180de600916f3c

SHA1
abfd6dc420368aaee7d3ce11cca36af3cb4446f6

SHA256
b34fda7a50b20aaae509d0919ced53d718afb997a2bd9f3b97446c3cebf994d6

SHA512
b6d935a6046a573df8c0a7bafd57c35f333f74fbe754e18de13cdf9a39fd9649449030539b208046651d648eca20e4b5d0e73a8a7d173d6ea37bbfc311b0d6df

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
23KB

MD5
a78aabc0f9a9dc5b9923d2ff67d24f23

SHA1
3a0330b84c7ca674f0710c10eee1e5126d545429

SHA256
39e98dd2cfd15b1687f3a8f8690a80026af0deaba5142c0fe503bbebca46d4c1

SHA512
3efd9fd95ef6aa16172c3d89150d49611c21deaa13fd50c2114e76380de573255ec6bdcfe10665bbe15a17c1d05ba327ca7ea24949ad1a173b3db86bab24adcf

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-fibers-l1-1-0.dll

Filesize
23KB

MD5
72dbf67f86c95cdef31eaaef5861a00f

SHA1
18134f00734a2255bdf9bbc777045ac2d4f2e2f3

SHA256
5c74808c61ca8b6acb8f74813fb116341b18c27e4a654bbdd383b9fee3f33d36

SHA512
e0bbcdfb658ffa70b047cfd84a0e8a5613530ed0a34cc9ac365f69e253894db4b6fd059ce02627c201c1e9efe0b98aaddb70a641ce297677d3f9162838fdd1f3

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-file-l1-1-0.dll

Filesize
27KB

MD5
ee9e1e1af17a74d23438fb63f6b66395

SHA1
11f60e073257560f5f3dc8943e854bf2eac36ed2

SHA256
8587505e511503127abb7e5c614853b7848a489d96da0a95bc736dc6c3097a5e

SHA512
aca34604580214291d1ea62765ecb280c6eafad7bf8967af8c268d2daff84f783dafec8ed334ac051ad61a14fc3128dc3f396116b9c6413a288fbe7bb099a202

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-file-l1-2-0.dll

Filesize
23KB

MD5
a5707e6342e22d92ef8df839783d1716

SHA1
642c499b65382d883f6f9381fa204ba8d08f1f10

SHA256
fbf7e43884a1fd8adf167a5cfa4319339e2dba84515ec4487e074decc9afb206

SHA512
33a5255fe6b46d228cc131d27479d272342e88f12d884b841751167000e2c6a9c08a996526580a8466e957f4696d2400baf5d2cc2b3e5f8ea23ae3803d684285

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-file-l2-1-0.dll

Filesize
23KB

MD5
a2317c5ce4c82910c7f4e97d48af645a

SHA1
67f5034a905cd1ef0c2888fd2cc40c2024d0848c

SHA256
363c1cc60b8cf09f026ffe4d6dabee37021f37d5719fa55ab807d56613e30b90

SHA512
35be28f55fcde4ad140fa089ee86aaeff3e90f174737474dfd502925313225db393a3e27eda0b44d9bee831ead48a24e803c35884842cee2946d558650b6f8f5

Download Submit
C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\api-ms-win-core-handle-l1-1-0.dll

Filesize
23KB

MD5
ae7a8beeed5233404cd32b2befa02077

SHA1
34ea5e1d5ef85bb5af4ac7483b8bc46e9263764c

SHA256
9e0fb5ca77dddd8716fa0c782a11d484756c471c91c35247a4e7e08f55e33b3a

SHA512
a6895c62834bb95622f909be1d85fc9b1796ab108c25b4652ae96517c2eea3df9b7c3ce951ec1283d91e5574e20eb1d6756b45b6d63753d3966bda2d8bf585a4

Download Submit
C:\Program Files (x86)\Steam\clientui\fonts\clientui.uifont

Filesize
1.7MB

MD5
1b6aeb32160addd984a78260ba17d764

SHA1
c65ba26fcffbb4c780df320134627eb113ecff88

SHA256
ca83b0992a668a5d94ed1164939393c090d784dde85a7fc8a2d735e4418af146

SHA512
164c0289c0c3542561a148982dad8d69757262da797066876df43e3b34d9177e90827a5599e20740c7657b60aa8b059237aa3ed41e4aff750bdad7048d3afc36

Download Submit
C:\Program Files (x86)\Steam\logs\bootstrap_log.txt

Filesize
12KB

MD5
a56c6a252b606fd4cee544300a68f372

SHA1
2732c820b04f015ac47cb75906915ad14950624b

SHA256
d39847b9b4a740f18711a2b8e3c973446d6c4c720db2fc9e454009f0339680d7

SHA512
adfdd1ab4e37e0df659bd30050d8ff98acd4a934267bf352f52327d436a24f7d78618e4066ec07e20431570b3419062d4dc7f5c722ead5e502650a4f82683b9e

Download Submit
C:\Program Files (x86)\Steam\package\steam_client_metrics.bin

Filesize
2KB

MD5
db7f815a2664f9821846d0a81e4a3950

SHA1
e1a301cdb16e17287c8db6c7f828a5b69506143b

SHA256
2e6d953d5c3d0a5e24d05b87a7c6c73f1fcceb6088682bbdef224a2324a1d321

SHA512
fb5f858ecd57ba20110e8ff295352228589166bf92e5df6632cb909b497094acdffa6a1849737b758959ab47dc61131fa9d467d1573370b3292255d0db0e4887

Download Submit
C:\Program Files (x86)\Steam\package\steam_client_win32.installed

Filesize
464KB

MD5
04dcc7bf8f19c2fd5896f32237f631b7

SHA1
fa105024c54d29dd749b4c01c60ea87da75988d1

SHA256
df05002bd03ed8e04e4adea4daddc651171d0995744b52787409f6d467dda417

SHA512
f9077d8ec1d24630b1f17844e4e4a5b61baf0f45c5603ea66d5ae6e0374ecb4440618685660a16558c53daf6cfdbdc1245f85b81285b21dd44f619063c59890a

Download Submit
C:\Program Files (x86)\Steam\package\steam_client_win32.manifest

Filesize
9KB

MD5
523923fca32f03ad1cdfcbc709ad58ae

SHA1
4d75494feed080fe3220bcac3b5adf6a147cca1b

SHA256
0cd3dbfcbb72d6157e1ae67ae235282a19235bfd5175c2a911162cc6ee90c184

SHA512
19a5532211e3d10f0ac76ff137c425c16f92e72277c5b1fcbc76a0a7cc1ba9592317835d448b2d1cf331f6677a9937288ef755efdf4a8c67d372f46cc7e50b46

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
0340d1a0bbdb8f3017d2326f4e351e0a

SHA1
90d078e9f732794db5b0ffeb781a1f2ed2966139

SHA256
0fcd7ae491b467858f2a8745c5ecdd55451399778c2119517ee686d1f264b544

SHA512
9d23e020875ed35825169a6542512ec2ffdb349472a12eb1e59ddc635e57c8fd65fa919873821e35c755aa7d027c9a62d3d0fa617340449d7b2c4cf8dd707e93

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
4c81277a127e3d65fb5065f518ffe9c2

SHA1
253264b9b56e5bac0714d5be6cade09ae74c2a3a

SHA256
76a6bd74194efd819d33802decdfddaae893069d7000e44944dda05022cfa6d9

SHA512
be077b61f3b6d56a1f4d24957deaf18d2dff699bda6569604aac4f1edb57c3cfd0abc5e2a67809f72e31a90b4aed0813536c153886da2099376964c60e56001a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
2158881817b9163bf0fd4724d549aed4

SHA1
c500f2e8f47a11129114ee4f19524aee8fecc502

SHA256
650a265dffdc5dc50200bb82d56f416a3a423eecc08c962cfd1ba2d40a1ff3f7

SHA512
f3594aad9d6c50254f690c903f078a5b7a58c33bd418abdad711ebb74cfbdb5564679593e08fb2d4378faaf4160d45e3d276ba1aa8a174ed77a5791bcac46f28

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
da6cd2483ad8a21e8356e63d036df55b

SHA1
0e808a400facec559e6fbab960a7bdfaab4c6b04

SHA256
ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

SHA512
06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
594be5b10d9f551e551cf20eae0e6dfc

SHA1
191c20f5cb0c27ecc5a055fa2379694f5e27a610

SHA256
e350ca62e777da4da6d25885be96d48e7ce3acf021a74f2a4902354a1bf03fbb

SHA512
e27bf6593a177c22e16ddf5a44d82b34b02063645a7fd63943b936028d9c433c89628038768a300c296c2d3bcab2ef6b8532a19f7283952d041865c704f62b0b

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
972187ca96118637052c2c39b32a6277

SHA1
7cd71d6f0c00f75c441393f46a17f4fa765bb5dd

SHA256
12e4d3ba658994fa3065018cec6a9ae333d8ff7cd5a2bc6a45c1c495739b0de6

SHA512
e0c66541a9a57698aea201fad5a75cee18be24959a705c2c8fe1f089c4504ecd24ea1dbefee2241b7207734b68529d8908869eb9afda0c1dc2ec355c1c99cb1d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
5c026fd6072a7c5cf31c75818cddedec

SHA1
341aa1df1d034e6f0a7dff88d37c9f11a716cae6

SHA256
0828572e4fa00c186dbf1d9072a6154d65cb499c6a37e338f3305f77a2fee382

SHA512
f9d28714b2a05f8d9025f1692e4d7e8baa6daf6176353f65646a38814a242ef2adededa44419edd69f10cf96ffba506dab7cb6e52111457bf69cffef12174b12

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
189ba063d1481528cbd6e0c4afc3abaa

SHA1
40bdd169fcc59928c69eea74fd7e057096b33092

SHA256
c0a7a1df442ac080668762df795c72aa322e9d415c41bd0a4c676a4dc0551695

SHA512
ce59ad9b17bab4de1254e92ce4fe7d8c8242832f62ab382e8f54199a9932cd11b5800cc33895441426373d5210cc74104e0271b721a7e26ed400b716ae4d5903

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_indonesian.txt

Filesize
4KB

MD5
1514d082b672b372cdfb8dd85c3437f1

SHA1
336a01192edb76ae6501d6974b3b6f0c05ea223a

SHA256
3b3c5c615fd82070cc951ab482d3de8cb12df0b3df59fbd11f9d3271fa2fbca4

SHA512
4d41c945ce7c94746875b0dbceb14811d4966de4e97fe047406a304162fde7e1e2a16367fc2e43978e2e5aa66749f036b4444aa2312673c2cc3af296e8b77f55

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt

Filesize
4KB

MD5
202b825d0ef72096b82db255c4e747fa

SHA1
3a3265e5bbaa1d1b774195a3858f29cea75c9e75

SHA256
3d1399f5323a3ece1b1a8b3b31f8fd7f50c3bd319ab3f1c38c6e347452c95314

SHA512
e8fc7cc09f431301d22a07b238179ee053505090e3c4db30ead061513fe7159f1fe8b80efc93f4597fe00f01087bbe0bb2231e13693d72c8def138657cb91566

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt

Filesize
4KB

MD5
7913f3f33839e3af9e10455df69866c2

SHA1
15fa957d0a6a2717027f5b35f4dbe5e0ab8ece25

SHA256
05bc1f4973c6d36002ac1b37ce46b1f941fcb4338282e0ec1ec83fb558d1a88c

SHA512
534e541757d19ee157a268bf7ea358b48015f400542fcfa49cdb547cd652926160f015fe2cf026d9c4996e56ab90ca3899dfd457997d915bf6bc9d7bb00ba804

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt

Filesize
4KB

MD5
58e0fcbee3cca4ef61b97928cfe89535

SHA1
1297e3af3ca9e4fe3cc5db78ebbfa642e8a2c57b

SHA256
c084a68b65d507eb831831aa2ab9afb9536cb99a840d248cc155ff87fad18425

SHA512
99aff0c481e34cd0e4fcbb2af471afb56d91aa11be664462b08e17ae169ca03ef77e7063b4ecd0f38ca7b2f6dc0bf2e316c7b31dffbbcfc763cd8fae27dc78d2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt

Filesize
4KB

MD5
9b0b0e82f753cc115d87c7199885ad1b

SHA1
5743a4ab58684c1f154f84895d87f000b4e98021

SHA256
0bdeee9fa28d54d384e06ea646fbcfe3f06698a31dfdc1a50703ffe83ad78d32

SHA512
b7780b82fbe705bc8e5a527c011eb685c99ef0b2eb810617b9f82b891341af95ef1c2f46dce9e458c0c4dcc3e7a0d21db6c77f03419cd1c4b521a9b72f9017df

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt

Filesize
4KB

MD5
eb8926608c5933f05a3f0090e551b15d

SHA1
a1012904d440c0e74dad336eac8793ac110f78f8

SHA256
2ed2b0d654d60e0a82b0968a91d568b775144e9d92f2b077b6da75f85ad12d04

SHA512
9113c42c38836f71ff0cc7019aff8c873845f47fbf1ab97e981cb038f4d8495b6df784402b1ee9666e8e567ae866b0284c81e6a16efb47131d5ef88569c4843a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt

Filesize
4KB

MD5
6367f43ea3780c4ee166454f5936b1a8

SHA1
027a2c24c8320458c49cd78053f586cb4d94ee6f

SHA256
f8d1972e75a320344e3c834ba0a3a6a86edb39e20ef706bda9b7965d440d1998

SHA512
31aab33e0d272cb43a8c160b3d37256716a683e5052192fd0e4d3cdaf30a10a9afa9d26d5d14ad216ee455627c32892a711d2bc137ee7a7df9a297f001a19e32

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt

Filesize
6KB

MD5
e04ad6c236b6c61fc53e2cb57ced87e8

SHA1
e9d4846b7e6cc755ee14a5d3fa45ee7d3bf425a4

SHA256
08c775efa77c2a92d369f794882e467b6e2526e61bc7aa7724f48e174524502e

SHA512
0dfb7e6d811d649103499018f3d115c542fcaba420ceb69124a4d837fe162ce514e7be2040860c5ef5f9c01c961fa6eea8730606b73ec107d87597989b6fd331

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt

Filesize
4KB

MD5
56dcf7b68f70826262a6ffaffe6b1c49

SHA1
12e4272ba0e4eabc610670cdc6941f942da1eb6a

SHA256
948cad1bb27109e008f2457248880c759d3fa98b92c5b4033b94f455cb8ac43f

SHA512
c3fd9caf0bd4c303a7cc300faada9cfe6dd752e82d67625b31f4c0c2c091596508bb477fe19f758fdf79b25b8ac3f5320a8785d2b6705b9bcc28a054a59454e2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt

Filesize
4KB

MD5
66456d2b1085446a9f2dbd9e4632754b

SHA1
8da6248b57e5c2970d853b8d21373772a34b1c28

SHA256
c4f821a4903c4e7faea2931c7fb1cf261eba06a9840c78fdca689f5c784c06c4

SHA512
196c2282ba13715709ece706c9219fe70c05dd295840082e7d901b9e5592e74b1bb556782181cdbe35bd1ab0d6197fef67258b09491fabc6f27606dbed667d49

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt

Filesize
4KB

MD5
b2248784049e1af0c690be2af13a4ef3

SHA1
aec7461fa46b7f6d00ff308aa9d19c39b934c595

SHA256
4bf6b25bf5b18e13b04db6ed2e5ed635eb844fc52baa892f530194d9471f5690

SHA512
f5cee6bba20a4d05473971f7f87a36990e88a44b2855c7655b77f48f223219978d91bcd02d320c7e6c2ec368234e1d0201be85b5626ef4909e047e416e1a066c

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt

Filesize
4KB

MD5
194a73f900a3283da4caa6c09fefcb08

SHA1
a7a8005ca77b9f5d9791cb66fcdf6579763b2abb

SHA256
5e4f2de5ee98d5d76f5d76fb925417d6668fba08e89f7240f923f3378e3e66f6

SHA512
25842535c165d48f4cf4fa7fd06818ec5585cc3719eff933f5776a842713d7adb5667c3b9b1a122a1152450e797535fc7a8e97ebdd31c14b4d4900a33ede01f3

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt

Filesize
7KB

MD5
53f7e8ac1affb04bf132c2ca818eb01e

SHA1
bffc3e111761e4dc514c6398a07ffce8555697f6

SHA256
488294b7faff720dc3ab5a72e0607761484c678b96d6bcd6aad9ee2388356a83

SHA512
c2e79c2505a6fd075df113ffce92ad42c146424ca39087601daa4ed15a2b5528d478a093921d9d8a738c7b6b963275a0693ebe526b6e2135d14ced03639d0e70

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt

Filesize
4KB

MD5
29f9a5ab4adfae371bf980b82de2cb57

SHA1
6f7ef52a09b99868dd7230f513630ffe473eddf8

SHA256
711675edb20b3cb70acf6cf75f2eea8e0d87c8ace3e11c8df362b4517427a34f

SHA512
543fe63f791250e05e8fda24fd2ceadebb4c8925e8927de49ae490895c87eed3e61a9ad50237532649f99fe3165836261de215ee3f66ffbfc6d677ddeea7732a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt

Filesize
6KB

MD5
cadd7a2f359b22580bdd6281ea23744d

SHA1
e82e790a7561d0908aee8e3b1af97823e147f88b

SHA256
3dd0edfbe68236e668fb308f92fe7c6493dbb05bfca85a48de93588f479ccc99

SHA512
53672dd13e6ccbe96f6d4a61297c595b6d6cba8de92caa51ccf8ab1d8a82eea5a425eab348f295b9ec27de0026ef849d9230f751a46e040be8863923f91b8519

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt

Filesize
4KB

MD5
f350c8747d77777f456037184af9212c

SHA1
753d8c260b852a299df76c4f215b0d2215f6a723

SHA256
15b6a564e05857a3d2fd6eec85a5a30c491a7553d15ffc025156b3665b919185

SHA512
efb86809a0b357b4fcd3ba2770c97d225d0f4d9fb7430c515e847c3dd77ee109def4bef11b650b9773c17050e618008fc03377638c1db3393ac780b5b0bc31b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\CURRENT~RFf77f23b.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar27F1.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi17D6.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
7c2056e7337a5f29d2e5d3c67830745f

SHA1
d502f5c22895a859056930a5489192873cd04673

SHA256
3f321dbbc60371a585d60b17e3f67386bf1792b430d20071ca0e3efd9dbae99d

SHA512
c729dbee4d528d05d2a6d25ea105d8f34bb9087b9151c0b31a59337e444e4bccb1f3e49fce122fb3dd7b65132a15a0c8b5618c853287fecbe5427376200b2495

Download Submit
\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.5MB

MD5
18dd1c62ef5597389d599f4d671be388

SHA1
43e0e7e1ad31dc0bfa9b93e50013dc0cf8cdbb66

SHA256
320b33ae48dbbbfbe4f93cf1509702e6a90880688a0557b2f6ad7f5c47d94c21

SHA512
a8d8aaf823b665edbb8f7490ae232bb292a8349f77fafbffc9600934abb71a763b52f2d99b9ec73a0e2c5a62a3dc57631bfb19a5e931c4bbd2d3e17ef22f2d98

Download Submit
\Program Files (x86)\Steam\crashhandler.dll

Filesize
363KB

MD5
af7888ebe56010f3bf70574f71853cd9

SHA1
bbc3c2729bc2765ed346930450b42bcc1acdb4e8

SHA256
31c63ccc814699a5d46328c651db344d28635474f5c0531f9aaaf184d80fe976

SHA512
946874f68e932c242389062f696551d9bd5faff1b3732a18d61448c54d0c57e3fd00d75fcc27e5365ee641e4d70e35a987787cf9b670400fd11d3808f9870996

Download Submit
\Program Files (x86)\Steam\steam.exe

Filesize
4.2MB

MD5
359feb3b9136f83a261e0f260b568136

SHA1
055c32421bbb3dc8714d4f0405b2786e89e8ae6b

SHA256
7f79252afdb9402e0b4a5ac3dac1b19cc8689fd5192b69ecd7974458ef600984

SHA512
09400c3df422ee1293a8904ba4f368a792c672204370918b18266fda73c5e624229e21c32afba17fef43a01594841aeb990d56eced8ff2ebaebf4b6fd9c62cef

Download Submit
\Users\Admin\AppData\Local\Temp\nsi17D6.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
\Users\Admin\AppData\Local\Temp\nsi17D6.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
\Users\Admin\AppData\Local\Temp\nsi17D6.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
\Users\Admin\AppData\Local\Temp\nsi17D6.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
\Users\Admin\AppData\Local\Temp\nsi17D6.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
memory/984-12260-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1884-114-0x0000000004500000-0x0000000004502000-memory.dmp

Filesize
8KB

Download
memory/2428-12611-0x0000000070590000-0x00000000718A1000-memory.dmp

Filesize
19.1MB

Download
memory/2428-12840-0x0000000070590000-0x00000000718A1000-memory.dmp

Filesize
19.1MB

Download
memory/2964-12235-0x0000000000350000-0x0000000000804000-memory.dmp

Filesize
4.7MB

Download