Malware Analysis Report

2025-01-02 15:17

Sample ID 240625-ws12lsvdjb
Target 3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd
SHA256 3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd
Tags
gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd

Threat Level: Known bad

The file 3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan upx

PurpleFox

Gh0st RAT payload

Gh0strat

Detect PurpleFox Rootkit

Sets service image path in registry

Server Software Component: Terminal Services DLL

Drops file in Drivers directory

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 18:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 18:11

Reported

2024-06-25 18:14

Platform

win7-20240221-en

Max time kernel

108s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatfor.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259400303.txt" C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatfor.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\R.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Windows\SysWOW64\Remote Data.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\R.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\Remote Data.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File created C:\Windows\SysWOW64\259400303.txt C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 3028 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 3028 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 3028 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 3028 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3028 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3028 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3028 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3028 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3028 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3028 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 3004 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2272 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2648 wrote to memory of 2272 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2648 wrote to memory of 2272 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2648 wrote to memory of 2272 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2648 wrote to memory of 2272 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2648 wrote to memory of 2272 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2648 wrote to memory of 2272 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 3028 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 3028 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 3028 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 3028 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 2856 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2856 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2856 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2856 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2184 wrote to memory of 3012 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2184 wrote to memory of 3012 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2184 wrote to memory of 3012 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2184 wrote to memory of 3012 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 924 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 924 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 924 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 924 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 1076 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1076 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1076 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1076 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 1564 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe

"C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe"

C:\Users\Admin\AppData\Local\Temp\R.exe

C:\Users\Admin\AppData\Local\Temp\\R.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Users\Admin\AppData\Local\Temp\N.exe

C:\Users\Admin\AppData\Local\Temp\\N.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe

C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\Remote Data.exe

"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259400303.txt",MainThread

C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe

C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=1076" "-buildid=1718904662" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1718904662 --initial-client-data=0x224,0x228,0x22c,0x1f8,0x230,0x7fef5bcee38,0x7fef5bcee48,0x7fef5bcee58

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1092 --field-trial-handle=1196,i,9795870604263615493,752868378319205173,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2

C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery64.exe

.\bin\gldriverquery64.exe

C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery.exe

.\bin\gldriverquery.exe

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1216 --field-trial-handle=1196,i,9795870604263615493,752868378319205173,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1636 --field-trial-handle=1196,i,9795870604263615493,752868378319205173,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1652 --field-trial-handle=1196,i,9795870604263615493,752868378319205173,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2208 --field-trial-handle=1196,i,9795870604263615493,752868378319205173,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1

C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery64.exe

.\bin\vulkandriverquery64.exe

C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery.exe

.\bin\vulkandriverquery.exe

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1524 --field-trial-handle=1196,i,9795870604263615493,752868378319205173,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2596 --field-trial-handle=1196,i,9795870604263615493,752868378319205173,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=1076" "-buildid=1718904662" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=1" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1718904662 --initial-client-data=0x224,0x228,0x22c,0x1f8,0x230,0x7fef5a8ee38,0x7fef5a8ee48,0x7fef5a8ee58

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1120 --field-trial-handle=1148,i,11763693279071422081,16565502909425471983,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1520 --field-trial-handle=1148,i,11763693279071422081,16565502909425471983,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1236 --field-trial-handle=1148,i,11763693279071422081,16565502909425471983,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1232 --field-trial-handle=1148,i,11763693279071422081,16565502909425471983,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1260 --field-trial-handle=1148,i,11763693279071422081,16565502909425471983,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1718904662 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2260 --field-trial-handle=1148,i,11763693279071422081,16565502909425471983,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 cdn.steamstatic.com udp
BE 23.14.90.81:443 cdn.steamstatic.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
BE 23.14.90.106:80 r11.o.lencr.org tcp
BE 23.14.90.81:443 cdn.steamstatic.com tcp
BE 23.14.90.81:443 cdn.steamstatic.com tcp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 test.steampowered.com udp
US 8.8.8.8:53 ipv6check-udp.steamserver.net udp
US 8.8.8.8:53 cdn.steamstatic.com udp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
BE 23.14.90.73:80 test.steampowered.com tcp
BE 23.14.90.81:443 cdn.steamstatic.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 api.steampowered.com udp
BE 104.68.92.92:443 api.steampowered.com tcp
US 8.8.8.8:53 ext4-fra2.steamserver.net udp
US 8.8.8.8:53 ext4-fra2.steamserver.net udp
US 8.8.8.8:53 ext2-fra1.steamserver.net udp
US 8.8.8.8:53 ext1-fra1.steamserver.net udp
DE 155.133.226.76:27035 ext4-fra2.steamserver.net tcp
DE 155.133.226.76:27037 ext4-fra2.steamserver.net tcp
DE 162.254.197.54:27023 ext2-fra1.steamserver.net tcp
DE 162.254.197.39:27019 ext1-fra1.steamserver.net tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 ext1-vie1.steamserver.net udp
US 8.8.8.8:53 ext1-vie1.steamserver.net udp
AT 146.66.155.54:27023 ext2-vie1.steamserver.net tcp
AT 146.66.155.38:27028 ext1-vie1.steamserver.net tcp
DE 155.133.226.76:443 ext4-fra2.steamserver.net tcp
AT 146.66.155.38:443 ext1-vie1.steamserver.net tcp
US 8.8.8.8:53 ext3-sto1.steamserver.net udp
DE 162.254.197.39:443 ext1-fra1.steamserver.net tcp
SE 162.254.198.46:27031 ext3-sto1.steamserver.net tcp
DE 155.133.226.76:27035 ext4-fra2.steamserver.net tcp
US 8.8.8.8:53 test.steampowered.com udp
BE 23.14.90.80:80 test.steampowered.com tcp
US 8.8.8.8:53 api.steampowered.com udp
BR 155.133.227.34:27018 udp
BR 155.133.227.34:27017 udp
BR 155.133.227.50:27017 udp
AR 155.133.255.164:27018 udp
AR 155.133.255.100:27017 udp
AR 155.133.255.164:27017 udp
CL 155.133.249.164:27018 udp
PE 155.133.244.34:27017 udp
N/A 127.0.0.1:61725 tcp
N/A 127.0.0.1:61726 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.200.189.225:80 www.microsoft.com tcp
N/A 127.0.0.1:61726 tcp
N/A 127.0.0.1:61725 tcp

Files

C:\Users\Admin\AppData\Local\Temp\R.exe

MD5 8dc3adf1c490211971c1e2325f1424d2
SHA1 4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256 bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512 ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

\Windows\SysWOW64\259400303.txt

MD5 70356d5d51becd8d4f27082b8f876465
SHA1 41c1a488680ef6526f5552f0f332357f3fc893a1
SHA256 ad72d2885bd337150279dc5f57424a353102811d710e31c1f4c054b5009b583f
SHA512 8e52a0c8df46b243cf06c25dcb30461837db772d6161221ee75f0af21af3748ac026c73c5e45084f7c8e42077ff9164b9f464e28bfaa23e85408611ab2dc9e00

\Users\Admin\AppData\Local\Temp\N.exe

MD5 4a36a48e58829c22381572b2040b6fe0
SHA1 f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA256 3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA512 5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

memory/3004-18-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3004-20-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3004-21-0x0000000010000000-0x00000000101B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe

MD5 277bea32e72b3f297ba29ea26663646b
SHA1 00309eace95a503182580296fac27afdf4a10e56
SHA256 f2d3bed061e1a774b8920932034bf8111a78ce51afa4693046e3c48c7c53a1b4
SHA512 38eec3a7a4d81497e02c6f98be72ff9f0019d96f9791ec5f03ea665be1564ad88d0d1c6d67411455a2c777708761cf479997d642b2456c367b684a8bcfc5734b

memory/2272-43-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2272-45-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2272-49-0x0000000010000000-0x00000000101B6000-memory.dmp

\Windows\SysWOW64\Remote Data.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_

MD5 577b7286c7b05cecde9bea0a0d39740e
SHA1 144d97afe83738177a2dbe43994f14ec11e44b53
SHA256 983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824
SHA512 8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\icon_button_news_mousedown.tga_

MD5 00bf35778a90f9dfa68ce0d1a032d9b5
SHA1 de6a3d102de9a186e1585be14b49390dcb9605d6
SHA256 cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2
SHA512 342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

C:\Users\Admin\AppData\Local\Temp\package\tmp\resource\filter_clean_bulgarian.txt.gz_

MD5 836dd6b25a8902af48cd52738b675e4b
SHA1 449347c06a872bedf311046bca8d316bfba3830b
SHA256 6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64
SHA512 6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 fd8a556711d1e8e92248d05311bdf2d4
SHA1 046584b8ad26509e9ca2f8044fb41bbc5d5f9578
SHA256 e537888b762de7945aa2312ea421e96d3fdd35f87159416be3acbe39fbf9eccb
SHA512 56c1b4ba0cbbac944d8c91dafe728a82f5513bff3daf0ff27ce287e111d6bce5862d844a0704aa43932b3c76dd1b4092bf58734ac24b353f3d7310117683b317

C:\Users\Admin\AppData\Local\Temp\crashhandler.dll

MD5 9734b8f1dbde2e34f012deaad3d0cd54
SHA1 ab2498ba3976fc5f1b1debf1861a49bb5d31458a
SHA256 b0878682d846a4a3d8b953f237304a43961fda731f063b39c01c95bada04a091
SHA512 7deb0cd1192111ae92f2b2c624ba23db4e5821d305b08e9839120a874c83cb2ca6c48bca85ec2b91300dcc0145472dbf54345c6b6457a84fc62ae9f635282f21

C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.manifest

MD5 c1b0eb2527f93eb50c9307c7992a6892
SHA1 2b208a9af9e0de3537bef137a7f2bed01c9d814b
SHA256 919e50219d0d8fcff77805d4029a77b8e71912ab05684dca287545de3835a288
SHA512 1c60d3a523d764a74ab35c5e9c4874291288c5570410f8c6e1c4ca8ed9149b001008ee0c361be4160f057bc725447aa94f9e3100ef7ebac9e29152d102190b37

C:\Users\Admin\AppData\Local\Temp\public\steambootstrapper_english.txt

MD5 da6cd2483ad8a21e8356e63d036df55b
SHA1 0e808a400facec559e6fbab960a7bdfaab4c6b04
SHA256 ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6
SHA512 06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

C:\Users\Admin\AppData\Local\Temp\logs\bootstrap_log.txt

MD5 9684d12c74e9b7a2af39b9a49adf54ba
SHA1 ebdad65a8f1ba2a050a3e8372621b428c79d014b
SHA256 0151116cc5c78031c4e5a7c0d80e1404e44a22c029767a5c79de11e6d0d84ec9
SHA512 b164ae34a0d7ca4cef1f37276e486bfec1e1143d4b479afb604464213b3a0cd0d34c1e27574ce87656fb404f6a8acfbf567cc6c96ef61749d830c2bc4b059a57

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-locale-l1-1-0.dll

MD5 74add032773802678bbfec4d07c2f95a
SHA1 f30cd5da7d9768696d0d57cde1ba7141804ffb0d
SHA256 f55be8b606d5715e54cb795b822aa295c4e0e92170359fedf0f72c1fe07057f1
SHA512 7f2e74a2d158588aff68ea5a23237f5a08d75ee1dfc72c2b8ba4c1a172cfa826eb71ed3dafe524dc6ca4eb4d96e2d1fffc6a39e85caff5aeb3925af761623da9

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-heap-l1-1-0.dll

MD5 295a7f69076e8e789860bb3d566caa0c
SHA1 4d7ee1025ac08ce85f95c620949f9af9a0b8ad3d
SHA256 516dc0852025a741cf5cfc6be3e4ad791d4a5aa692fa35498ba7b5f146d54a1e
SHA512 959d1171c77a0c7267d69737c781c0e66cd9f513a6267e8e5c986677aaec4facae8e024bdd0a3a6ed4905df116e5d80f706d51da0a3cf26cafda2b13bcd86c14

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 d2b88081e89aa26e825b04c15ed158e4
SHA1 3d6073d8ca42ef7fd671856cbe7eec20bd78da23
SHA256 9da16f7fb466e63a5ccc24eb7ee95a80ed4216e925545a59fd6fb5d7236211f3
SHA512 4544ee07592758723947b039e7f4712c0658ef40942355e3424838aab6382c110366c9013cbd042a605bfca73b6535cedcd146db8a6e850bdb5a50f4132135a5

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-environment-l1-1-0.dll

MD5 c1da1a8ee38c89a989b8a892edf48099
SHA1 0a65c36944a2c2e210d96ca394f5065dae34f665
SHA256 f2d19e04a9fe1a382fe5c492501236a0cadc9f106036af8496a8f24457a3feb2
SHA512 085acf718846bed78e73908481aa61b3bc64ff8dd7117baa556a535b5f32d304a2f6d20cae06b0c43ecb5c934bcff4758095a0638aac428a98036e91d3047908

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-convert-l1-1-0.dll

MD5 75f7dd0261c0a7e89abe0971a6f7fad1
SHA1 a657010c0896034178caac01093430a9b550745b
SHA256 d8f04afab237a0177bc3062c6508c57f884c23013985d3c48af26b7c25028949
SHA512 07960af507910ed1366feb86487b3eb0d942f638eaeba85e1fb1bcf1dba09359c95ca93488cde969259b7e0b78df8a418e62848f49f40d3cceb8cd5f52bd5760

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-conio-l1-1-0.dll

MD5 09a4172deab1aab62c3eabfe126b2cd1
SHA1 5ecfb94c505258be83a471a22979f7f85960bb02
SHA256 56fb8c7b7d12814ab0f5fc2eb69dfe98c3e9d00dc554a5e00f2ffdf9fc8728d8
SHA512 e31adafece4e16a76e1cb54d92d82edf441e5c5e3a9c8c68d63bda6f9014705b3a9eee4502bb492b09e3384029878ebb28b82e5c9caf95f8fcae8347aba6dadf

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-util-l1-1-0.dll

MD5 27262395d098572d6babe49373d357cf
SHA1 b6c3bcecc99ad8d03a4b8672422a5aa5199eb297
SHA256 8b2197d96a4a01465e0062d5854a940232734123536ebd3c4f4116efae772688
SHA512 42e1b4ae70cd97a50b6459ba0f9375de0e1586930c8b9cc12884794de1da905fc7d766811785a98f81f13dc77cf8ba6aaa5ad8592cab4a5b873df9027fbccc82

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-timezone-l1-1-0.dll

MD5 b4bfb5cd23ca6f9ef9dfd43f70e8bba7
SHA1 2ad09fc7c204d74b4c3c67710a72e10b699d7345
SHA256 e3d05dd8f99995cb289b3f86eaaadd99a0b1ca2e12f0a0db22feec335a938111
SHA512 023d892f449f578c68074a77b46f7fabc4688a276fb0ced6b1eb6c91037f296776e2ddfd81e71c4f8976285b2e1d5d35bad2fe0ee93ff661b78d45fd34cdf476

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 d2716cd25fd6ac67580982c8efb5629a
SHA1 199c6b5208331881e9425904e345feaf1af45b82
SHA256 329149e3a2360b9e4231ebae9fc3c467d3c560195fc3bc5d2fd31c6a5fd65da5
SHA512 cfca74a6b909bb7d1e20487c4c3bb8e20e9970b49b14fe9d693c5b75fc4b83d8dcfa4ac085fc8db4ed76382266c934939b4e41a70d4ec5308fd8c7f065ccd95a

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-synch-l1-2-0.dll

MD5 747bedc394cb41b6a0e1b94b6ea8693e
SHA1 e6388ae7dcd0df0396e6cfabe65be85789bf72db
SHA256 ac30c50dc71795c7e0419389f15bf7676718e23f4b786da2ccd4103f24198656
SHA512 15814d5a904fd9d8fba2eb451b27c0f15d892afe98edca36e3adf55fd2df5d516012eb104035aaff0885c5dacc784c44a1f2df3f8a59324483bcb86c8b213bf0

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-synch-l1-1-0.dll

MD5 94eb94712d2eca213b446f17c62380f3
SHA1 90a32ddb5c5c3e8757670ebc75ffc237de12f2bc
SHA256 902ae18339560e5142c87f97e9574864b518a0ca4572298b418acadecd8ac6ad
SHA512 a9d68a3f68532f8b3e698ad6aa7303ad9c5fb838bd61444f415e20537c76f463d849d3b458f5fdd8f133e46083a3dff93ec6bf48d77495beea27ce342b1f84dc

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-string-l1-1-0.dll

MD5 6e55ff194d5bc03a8ebe89c7b237e10e
SHA1 fec152c0e14bdcee73ce234be9b5bb1608b85fd1
SHA256 9f3a2d40be41b0c47fb03df21c4f7e4120cbb348553b642c5c80b92c64b3b357
SHA512 18d8353f171a34e29674dcbff59f4db7e74857c3bb2155215d4179c7c94be7d85d43552f256b002d0e72fcfc3f9d9c4999ae83bf4599c4e68c808419e1618d8a

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 189af34aa567cd8ca0d18c1dededd39a
SHA1 0f6d013f294b267a0aa082ec3d422cf7eec2ba96
SHA256 bb2576e861a0c507db9ab2a29577803d7258eff03e52dc5f36faa51249c892d2
SHA512 e294e462cde5f099f2b3b6ac14b3771ada2ca1ec26ef485712698a98e5f4c4298a4ffed2e8cb99dfb096adf48e368ef50f30d7a5652a67fa16b250c7653d8580

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-profile-l1-1-0.dll

MD5 724d2fe0b0268b30e7db9a7488f2b306
SHA1 6cccc9bab72e205f18bb5485619dd3ccfe58202e
SHA256 074a6052a889456895d4eb8d592088b1d3858d3f6cecb884c528e74400710079
SHA512 37e6f1ddb7d57aea23da10d13a3690740babbd3634d2966a3377c59248e75982a7fe2ed5197c1ba97d7d77906235c87d78067a3430c6d45dc8a4e5fa4d7e6409

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processthreads-l1-1-1.dll

MD5 2da80fbfb025423ba529e0ed5d396caa
SHA1 94eddff83c93411c0fb48101177b238f2cbabdb6
SHA256 a074cc02be4cfa314ddd7223c288b1a71fe74143c3229c7cd30fb309419d7aa6
SHA512 c23e38776c826f1f2c9bec5ba2b0fd0366d1afdb06b805749814472a362f0fffaa5231bd678af17ecd7640333c5af4f2607d976521f649053ea3d24c8e7e9c9d

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processthreads-l1-1-0.dll

MD5 fbb8d74d5ca41920f285ed9d4634d501
SHA1 b1157ff444075b76bc3533b036793bda4afd96e4
SHA256 7748f69d1f67fb4afa2ebb9712687d0b9235346d35909fee80dd5cb776ce7638
SHA512 a7d6ca4666eeedc5c4bb3db07919c4d08efa67638d0cbde7cbaaa5f40a59f2c61745fc129e882d47a39a561ea78aa7ff309286921945d940ef26d121bc865cf1

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 3d9d3eaad4d1f94fd099877e3c3574ee
SHA1 3dc985619b35e8d8bda17bbffe3fb9d73c697998
SHA256 0986c9945e4db6c7e5bf42556f28ae54afafe5d991573590bffb9c494deaebdb
SHA512 5fa46bbd7eb1df2f5c233c70f5a4adc316b24e1de7e91c608d52f537a1ffa6d5cc8b1b4c6b4880b33acefb8236d7676ef50527b737ac23be968e5bdbdcd2f368

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 38949794f4b5ed88fc604583ae0c9b1a
SHA1 ffe2baaa0dcf56b56a726e314795e70d23149fe5
SHA256 2dcec9017298d32b92223c0b9125ecf15cf330973414b3e181a9dbbbd74145d4
SHA512 001f460d03b71f52cda97f5305b15c5fc40c1abe8c6deb429ecbd15d06a4ed26f7bc8cc491629cea14492cf13e22c1817312978b6095ee06b1592004a361818f

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-memory-l1-1-0.dll

MD5 c5c07cce6b571f4d566fbb2dfcfb009f
SHA1 4379f23072f145b3c31631faebba76321713e454
SHA256 dfcea447a3436a3b36287becb215633e73760de7d1df88dd24ce0f998aadf597
SHA512 d7d53c04459d373659056ed8535982ad6c558cac6239e9fef51074e8479b8777eb2dbdbf63678868f5902b6414a446b46d9d9acb9d70f3bd3dba5cba9512d982

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-localization-l1-2-0.dll

MD5 b20db974fdaf13d7a6c518c8cc4d124e
SHA1 3939b029019a583c3a65ae0e3bc2926f0889cc11
SHA256 c7253d57e123911ca6a0cdc8c74f103fc048399224393e97bf5a2a993cc13fdc
SHA512 5dde8bc5f30b69c98eec6d4d279bf1b1747ae119b8ddf8e96515d503c7937154e74bb88d7a01ebcb2b15b0f3fc2e74344c8f0df7add45af944028e3b3cba8245

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 f51c295b1f6d6845be84a53ac650e0bc
SHA1 edf0d80ea2c7de134af5d1da1f07f7cd33d9d972
SHA256 6d85722c07e91050b89692e647c8c9c6fec8c39a998286e0084a4a20619d956e
SHA512 f84224a40bf12cc61ee47607fb3d367135205d7f26667de6ac930e7fda064d8322c0279fe2d67da92d8e017b9ede8a14ff26c050c35347112052e9fa840c5c3e

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-interlocked-l1-1-0.dll

MD5 64350026ead6e66e58759314ab2b2c8d
SHA1 e81696c0cdd81af0af47c696806e745283538c94
SHA256 f30dff7c389fc5143475a99945eaf9f2e36f2f50709e256c990b10459e32b8be
SHA512 6f55429adaa2107680c9d67a15b8094346b5bf295603ec7b2cbde7698d1e1f18436b6b2303b08b83f0177c77f877a33c16cd88cad13681616c0f9c3d751eb7bc

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-heap-l1-1-0.dll

MD5 1b292e0f2b2d1a67d2032b5414c280a7
SHA1 3f42ab6ad2c6fc52d11d677c1287c58bee3d0a37
SHA256 60fa39cc05a21ce16a8651331445da1dd0e5e6c0194de819b4fa6a245f517396
SHA512 b9f6da412491d9919cb8a33483147c608d30cfa9651f326aceb96c85cf5163dd85a434ed8421cbe9a6d355df650564252cbae46a4b340459bb3d30f616e244ed

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-handle-l1-1-0.dll

MD5 a6c34ff1ecc9abc954922c5e569d7912
SHA1 910709fc703f559d37ea6d7d75ee13b62cbb4290
SHA256 b71658e60bfa69f0bbcafbc8df40b118e9fc5df747e2069db0ac18b66aaab818
SHA512 c0612a7cfe143c22d9945e287a4be0378b808e974a845ba762bbff028080eb6149bf5451d1f7aa0c2cea74499b82007dc730ad51b0b2db4b0f8fc11c03f8e20d

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l2-1-0.dll

MD5 b3a3f902a5fe7b70c988aebd0e523d53
SHA1 6fb07024c76cd0c4e07c3d0efa088b74998d59b1
SHA256 61365671b9fccbc10c06ccc0d4c8875dd98ca51e8d3eb77e91069b1bd11e4a96
SHA512 3bc057781870932f9703561bed8f786af9306a6a237582551edd12220e95521b8433a507ce702fa929654e930d0cba976eb0fc72fbe567d44620232e18390ce9

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l1-2-0.dll

MD5 2bfcd1d1b70eef1a10c939a4eeab5403
SHA1 12656ee086124eaf205a9eb470a78bc5e3d2512e
SHA256 b0919c80eb88d5d6aeb7a6eb42344f40ebf6bf0914a45045d9606e2469f15132
SHA512 9143ffd7e00f4168f78f72e9e08e6a901ffc57a1bdc07531d73f0d4fc59ae2a114d939bf2a60313ac34aa835e6c297168f255685cbd795c748fe9c8906d2215c

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l1-1-0.dll

MD5 d218fcedc1bee50c45f4e786c6d60564
SHA1 c4371579afbfae000e5b9a0ce07472be17badc9f
SHA256 13266c9674e9c663252ff2dc1a014a86cbaa42801d210f408269bd1dff681440
SHA512 efc30d116515ee000084db671a4c2d68551035b5512e7117c3c53d6ceb2b0418ee2ccdb5f76fa267be48e37d21a950e20423f95fc4e1c4d2c9e5fb47b692c882

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-fibers-l1-1-0.dll

MD5 b72dcda47e269f98aa6998df1b27b3e5
SHA1 8a68318787497d2ed4ee6d981de825c874bcb603
SHA256 b9aefe9709a17fcaf8b85168c68f42e2b57f8214e7456a82c74495b815dc5bfe
SHA512 17b00481db67db8bf8f07035c760eb7adff65d59c532711d918bb1f2bbdbb6230cd0c583f3418102b80b6a085d45d3e3efe9a641e7dfa821c8a18505e9bb1420

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 649e3b7d4b114213383aebd2dda0308d
SHA1 ba1ba5acb362cbab817c5e1a3126d6ebf600740b
SHA256 b15dd0c332b261d62a0b37b8981980a15e47b4682e6985e26f155a85f19e1466
SHA512 e667462ba457d44982337edda451a5d78eb4b6eab2e6a696ca333bdcd6688873e2c50b45e464e333ecf9f5b07dc35412bc746ff187b99e8139f9b8ef0456849c

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-debug-l1-1-0.dll

MD5 df9e90a38a99d1f609ba721a3d329195
SHA1 ad8859c5ec7f591800c0d4b6453eb10167ae142d
SHA256 ba17d3a66e3df85fbf8b82b500f1360f8598cd48a814fda3e552cdd995e6f449
SHA512 e41ba10d2c679754627c348232bd8124a01eceedfe30c88b6f7ed257895a7b59e5149d448a68415c4d2cc1a5c2c32a575f032b764a14a2330d62f08ccb87de85

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-datetime-l1-1-0.dll

MD5 e763390e8aebf15cb2b9b5b8c9cc4e9e
SHA1 0f9f6544903700fa26c8892ff7e4881c56238282
SHA256 5963b1cdb894ce297e52844741047f74f8d86fa7e97437e26d9bc8f0094e1003
SHA512 4c8089029c0d97ef1a1570dc47a8eda08f2071332521cdb54b5b52786d078c19bf0324fa43b9d1c49b942f8eedf7a6dab606b25a3913a80f6c8d7bb97d28a768

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-console-l1-2-0.dll

MD5 f9bf7d30ea5a945b77910a06151ff620
SHA1 3158c9ab3fd9b6fed40e77abe39eb53234151977
SHA256 b4ff5467266a4f8e5d8998525a8948b8b86d51a23c2f4f7023c505c8db341802
SHA512 07e01ebde7c80fa3937f2169da9dc496f0a5efbbbc9c305e7772e28e334906054c14747fe10cca0ac1f1f275d95a08801ae7c44ca1cbddae1c1e008bf428d1a4

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-console-l1-1-0.dll

MD5 4cbad862a3ff6e7ac0f33a904d247536
SHA1 57ed831d8f3739aee41735fce679641862c36076
SHA256 32a70082cf3496745580c0e4b7d1bdbe925013300f0573ccef466e7a1915a51c
SHA512 355e5f5081588c2460b6c21818172eea17b18f6d94a958902db57a585409c8a2231a2666bc12548316a041bfce8a2eeeef2e4759a9e38900550b6a7c96d7ed2a

C:\Users\Admin\AppData\Local\Temp\bin\audio.dll

MD5 1f2d6a54ee20a1fc3e421f4617e11fee
SHA1 8faacf81b34ff7eb54c70520a15b53954ad27565
SHA256 8683b6868f2fa1f29aa4d800a11b8cf628cda3b3651575c147b1e51e89a19309
SHA512 4f52fa530755fd3dc775861f880729e9ca9a892408707e816d89f25f1ec03b17779945b3ebda228ca83a320c167523a9801afdcb526420b314df6861b9f97f06

C:\Users\Admin\AppData\Local\Temp\avif-16.dll

MD5 a09c5fa842fa4456a0b53b46f1050225
SHA1 9e4677f19e77bf55e7d0e2e82d8c27f79dbbd78e
SHA256 3d7ba6fedfdfd6e751693d718a21438304690b754d1c5d13c847a829b2423b8b
SHA512 71c962da6ed6894209891513bf9f0132a5eab6c65a5d9ba334efcaf73463be5625665a060863a106d59fad1949f6191f641aa4c59ddb0e825701bef08ef9b5a5

C:\Users\Admin\AppData\Local\Temp\aom.dll

MD5 d764264518e77cc546a5876c3bcebad4
SHA1 ea17d45b396fa193a851bfd345e2b2c20ad60e12
SHA256 e78492de0ab575add50b925bfd44216d224d09904a9b14c17087a92fdcbc15cd
SHA512 7cf132ea5254a55c08186ffcf5e47360ef5ddd57d03d7051171f6753b22e3925304d183c2037bfd320ad56c08e079f9b2c4640db8cb3dbd38ff500c7a39e997f

C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.installed

MD5 12bd767a7bc1ce8dce1c97b3e5c2c4dc
SHA1 8c414f7970e8cfec2e717f6d3e62ed48d9f01205
SHA256 745ce549f0836ef10a3c1987be02fe90dbbae8f143888b1927966dc3a3ab1fb9
SHA512 a3c3d108c0880614b6cd6bcff37bd4186284725a07c6059ec10bed72d358c4211d665d9fd431ed55094e0a18066f1d52bd13d911d2ca8c451f3a43be07d86518

C:\Users\Admin\AppData\Local\Temp\package\steam_client_metrics.bin

MD5 8aba70184c31ed5ae25df09959871200
SHA1 585daed11aa7ee1e39dca0f212df6eceb3a51d1c
SHA256 4634c69804cf2b4b87c660d9020d4aed3ef4675dfedb837c4539cecaaa64b9fc
SHA512 c6278c722af7ef2c62060a7123c15a46c423f27447e07756904eb40e1819735812bfd651f4522e9446c3d1abc06aa66229837cb5a285d3ac44a06960d0bec122

memory/2164-12498-0x0000000000060000-0x0000000000061000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\CURRENT~RFf7777de.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\Cab8F07.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1076-12817-0x000000006FE60000-0x00000000711D9000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\000004.dbtmp

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Temp\TarAA09.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarAB57.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 8c7fbe111c907b0a5bf25895ea2494e7
SHA1 ed7b8b1f0bca6d80adfdd6cb9fd597c8a67daf14
SHA256 c762e2defd5d35c8005f3f347dbf2a48837aafa0e7bcee9defc6f196d52e6684
SHA512 5a9419890d1465b4d600d052c932d63244ff6f692fe2685ae3df04cfbbc2f34daee2223d7d167fd57d1ba253f2acf6c2c71ba21a289ac4fd095c9b8a9035ac82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b017b435f9459d2790e47bc9fe9cc4f
SHA1 f59120e31eeb0b8675e56f8cbe4882dddbd895fc
SHA256 20139d865e2ce927cf483e715a91877a034ed402a736ab83195a1cf4de168d67
SHA512 d2d77b1f990546944be153060f097f8f1cdf8e2cd04a346207bbe6434d30711fc25700e27311e9f18a3039265d596bab3a4767bda3984a9456d7c1d382ff764a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 18ad78f9ba7fc0e9f138ebd160365964
SHA1 cdd7f5f018db087dd90c55b42f4cde0620cd5639
SHA256 baa312d63c01279e87c08379587264a267c4481d04585b6b5440abb530fd357c
SHA512 2d62257a89dee1df7d9ee8320e3923624b615e013f238a1a206759cb8bc56f8bfba71c93ee0dbafd2694785d8e25aabffb4d12a34c4a9eec4dbbd716d799a201

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8732601cf290e29c74bcfbe4b7b59b3b
SHA1 62019ed32c9f8c9d49a514e4624aef57a2f458b1
SHA256 7f7fbb7a33812f0a3e16549048c817731624474c5945355ec384655e91dc255f
SHA512 783cc21c15cabddbc93f0283f522b4c05a091a5f3382345cc26813cd37cd9e5ddc58a0321ecc1772328264128152feda96291d9ad2c4e5df08adc020d2fff83b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f2828391ed3b8f5f09d2f1268268b1b
SHA1 8652759f3941b238609c7422532ece19dc310bb1
SHA256 8342ddebba32ee8353d411c5114647ef1ce157013caf12c8bb04a13b63361e5c
SHA512 ff4288d2d10801d071bdc23a230d409592f358706b1dd462ca70606eb94c118876c16f860963b52c677fdd0412d5ec3bf56cae48507461fb435fb8d1eb8ac175

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d1c61de47d2f60738c5eb30b89329ee
SHA1 c5382987d199fe8a7166a3167f3e503d83198955
SHA256 111dd744024317a6bee743eeb16baa8bd4419d3baf24a882b40d12094c30d970
SHA512 6de9e99fe5324c093ea36eeaeb602e1902d8b140a03111e89cf7d341aa376b512284e32a35a194d9921158c79864e63ee214922235134dfc0bbd53159693ba73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e550c39490a40882bd09c6ab5125780c
SHA1 19ab6f742f946855f24b4942d54a2543b68c5746
SHA256 b33d79cb4cc911089937baf70e8abed6d49504ddbeac1f24c026e6342c8ed9cd
SHA512 dceea96ef29d3637dc5e624dc81b08fa3c2ca8adbe05ce35c4898029ad9158f8f0b79bc7d5e4269fbd457eb3bfc0e2af28395b513e7a53e8e1b07860a7f85813

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 033611ded6a995c045d2388dc5dd2fbc
SHA1 81b379963d37138a79fbb29e767c4a7ae1adb527
SHA256 26853f835da12ae3a8c22fe67492862f35580a6d0561572877e961aa776fd775
SHA512 a637886541877261db80edffe0cc2929b36c09f1080cfff6f98013f1c3bb1a3433a848c539a9e9dcfc4d09353379cc24e9c06444932ecfdf26d499b0cf08f3ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0cbf54e3222278cb4799366b45ab9e52
SHA1 f1069a1997b4220d42d832b4338c2c9eea521b43
SHA256 9a938dc02fc65a69fa2b4d831db683cfcaba4db0e1bd613873d2ba111aa47b67
SHA512 37a1e9783aa91cd9dadd97e53b2dcb30d50feca0175e3f2e47125a1d2d6f43b61b86e794a748206680557dcb165970ecc5839e084e22d74592effee1b40fcb3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be7eb7bfc453be42c55de83d94469908
SHA1 daaeae0988aef8f93a11f7a87f3f6d2704780467
SHA256 28f7b4da602c6a16602309a326e00ec1b92ded81d6ee45b9a983d06c76c8dc44
SHA512 0de56065b2697deb85863a952a3697fc51f8861f8cd59a8e1f6526e1f1171c38bffe679b50113406e1fb28498578be1ac37b500bb9af63b89f1c54f711e26432

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e8b9d929da87a68b602cc6e10ee9a3d
SHA1 a2d5945859c6858bdcae2440edc7ef6b7bec85fb
SHA256 c20e937185dc7b1b06c5a58d530b44b04e8a8ac754efbb9ace9383a39b619df5
SHA512 6be5a1239c450de1f23598afd17769485a9fa44c5f336a500592342d9b5b10be32cd40c45dc7baa2c0e67236c2111e9ad833c1aaba6dc0a5281dfbbdc1950fc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff35461c4dbe4447c78c3572b2874f6f
SHA1 4822f62f636cc854d84bc82089ae771d8b3eec21
SHA256 147cb75901d2bc1884d2223e2093b8fe1bc3ccbe3bd9c9bbfbb7c60f28aceb4c
SHA512 e09c9761fa7af1b5e5396076217f444ba2001dd7cd94aaf8943b912c2ed6cca03fd6c052e8b010836b13e5f013c72fc2419dc6ab82ecbc8721f8985db61605f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b4271d36526aec2c55ef2a84be67d3f
SHA1 761b04895a53dbc93da482030961300c9c8e51c3
SHA256 c740474cd5cddab772ded736d94dd23f3b04ee832bf1ae0ac4bcd354fa7c2f0b
SHA512 008f1ae7f582a3585ccc71049045d615a21d90f3a4c95e2d44a4654cc5b45d4236657bb3e1639958cffd3a6e75747fef43d87187ddf1719135209eab7111c2ab

memory/1076-13716-0x000000006FE60000-0x00000000711D9000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d90896a63c2973ccfed10678de9aa156
SHA1 0a71605243577572c3f0459b2fc014810162bc3d
SHA256 45efc74a4d7d2c2953504e0c97292935c03597544694283015e3da32ee64bd90
SHA512 4398e2a235206fd6fd61eba1f893362e0f9dc81e428c044a01e2cdd9d2ec6e497f762b48d68208a35c092cc1e09450dd6e3da75659866db8ad0963da5282270f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4579f754f37e12e63b6060a36a74166a
SHA1 df2a09bda28c8c3921ffa0a460f67d2a0e2aebbe
SHA256 fe9f5887d8f01a1e0fa867ac69711d96d75a42b2140ed528113748b5d394bac6
SHA512 e9dc932bd799b71058cf847b73a4476bf9aca4fe7286cfc4e0d6257268c3bfef58db275f010441cc5de4f4565ee9ee1cd926df92fee50559a7cb88f396b238ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84ad26be20aac3dc2dee0f611885ecfd
SHA1 f029630fa3d10393c601ae9c314917de18524a07
SHA256 abed9b1b8b1392b1ff4db409365f6c2c63514fe4af238cd8b5ebcbb9ecbaa411
SHA512 82ffa1b163809715a74ccef3304d41ac406c136763bdb762ed29d68e8a6303af37d63843e27a04969f7e4ff399657b94964d035961d66bad91de8a1d489c03e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a95e6d7184dc04c3a9eb7f0d1baa0a26
SHA1 2930242c32fff17222a0fba5253bc116a317bb85
SHA256 afe542a5fc590c3814be739d4fd9292ee365804126b711432be178b898483559
SHA512 a0aca5bd5d3db10c3daa27cd42240c9cdd2513fb2ff132cb9d1f330e7944166538dd60359ad19d7fa4aa2c4726cab5f55608ea88297c3bf1600c18e977977c38

memory/1076-13947-0x000000006FE60000-0x00000000711D9000-memory.dmp

memory/1076-13953-0x000000006FE60000-0x00000000711D9000-memory.dmp

memory/1076-13954-0x000000006FE60000-0x00000000711D9000-memory.dmp

memory/1076-13956-0x000000006FE60000-0x00000000711D9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 18:11

Reported

2024-06-25 18:14

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatfor.exe N/A

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240601765.txt" C:\Users\Admin\AppData\Local\Temp\R.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatfor.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\R.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\Remote Data.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe C:\Users\Admin\AppData\Local\Temp\N.exe N/A
File created C:\Windows\SysWOW64\240601765.txt C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File opened for modification C:\Windows\SysWOW64\ini.ini C:\Users\Admin\AppData\Local\Temp\R.exe N/A
File created C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\Remote Data.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
File created C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping13632_1110950427\_platform_specific\win_x64\widevinecdm.dll.sig C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
File created C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping13632_1110950427\_platform_specific\win_x64\widevinecdm.dll C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
File created C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping13632_1110950427\LICENSE C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
File created C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping13632_1110950427\manifest.json C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
File created C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping13632_1110950427\_metadata\verified_contents.json C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
File created C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping13632_1110950427\manifest.fingerprint C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\N.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatfor.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 4948 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 4948 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\R.exe
PID 4948 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 4948 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 4948 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\N.exe
PID 960 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\N.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 4512 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2956 wrote to memory of 4512 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 2956 wrote to memory of 4512 N/A C:\Windows\SysWOW64\TXPlatfor.exe C:\Windows\SysWOW64\TXPlatfor.exe
PID 4948 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 4948 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 4948 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 2360 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2360 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2360 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2548 wrote to memory of 4880 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2548 wrote to memory of 4880 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 2548 wrote to memory of 4880 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Remote Data.exe
PID 1600 wrote to memory of 13384 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 1600 wrote to memory of 13384 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 1600 wrote to memory of 13384 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe
PID 13384 wrote to memory of 13632 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13384 wrote to memory of 13632 N/A C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13676 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13676 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
PID 13632 wrote to memory of 13812 N/A C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe

"C:\Users\Admin\AppData\Local\Temp\3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe"

C:\Users\Admin\AppData\Local\Temp\R.exe

C:\Users\Admin\AppData\Local\Temp\\R.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "Remote Data"

C:\Users\Admin\AppData\Local\Temp\N.exe

C:\Users\Admin\AppData\Local\Temp\\N.exe

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul

C:\Windows\SysWOW64\TXPlatfor.exe

C:\Windows\SysWOW64\TXPlatfor.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe

C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Windows\SysWOW64\Remote Data.exe

"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240601765.txt",MainThread

C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe

C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=13384" "-buildid=1718904662" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1718904662 --initial-client-data=0x368,0x36c,0x370,0x344,0x374,0x7ffae06eee38,0x7ffae06eee48,0x7ffae06eee58

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1596 --field-trial-handle=1728,i,7280154914657719799,5514960452970361349,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2192 --field-trial-handle=1728,i,7280154914657719799,5514960452970361349,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x408 0x4b0

C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery64.exe

.\bin\gldriverquery64.exe

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2508 --field-trial-handle=1728,i,7280154914657719799,5514960452970361349,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --first-renderer-process --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1728,i,7280154914657719799,5514960452970361349,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1

C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery.exe

.\bin\gldriverquery.exe

C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery64.exe

.\bin\vulkandriverquery64.exe

C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery.exe

.\bin\vulkandriverquery.exe

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe

"C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1718904662 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1084 --field-trial-handle=1728,i,7280154914657719799,5514960452970361349,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 cdn.steamstatic.com udp
BE 23.14.90.81:443 cdn.steamstatic.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
BE 23.14.90.74:80 r11.o.lencr.org tcp
US 8.8.8.8:53 81.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
BE 23.14.90.81:443 cdn.steamstatic.com tcp
BE 23.14.90.81:443 cdn.steamstatic.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 35.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 test.steampowered.com udp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 ipv6check-udp.steamserver.net udp
BE 23.14.90.90:80 test.steampowered.com tcp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 90.90.14.23.in-addr.arpa udp
N/A 127.0.0.1:50296 tcp
N/A 127.0.0.1:50290 tcp
US 8.8.8.8:53 api.steampowered.com udp
BE 104.68.92.92:443 api.steampowered.com tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 92.92.68.104.in-addr.arpa udp
US 162.254.199.181:27017 udp
US 162.254.199.163:27017 udp
US 162.254.192.74:27017 udp
US 162.254.192.71:27018 udp
US 155.133.253.50:27018 udp
US 155.133.253.50:27017 udp
US 162.254.193.74:27017 udp
US 8.8.8.8:53 181.199.254.162.in-addr.arpa udp
US 8.8.8.8:53 163.199.254.162.in-addr.arpa udp
US 8.8.8.8:53 74.192.254.162.in-addr.arpa udp
US 8.8.8.8:53 71.192.254.162.in-addr.arpa udp
US 8.8.8.8:53 50.253.133.155.in-addr.arpa udp
US 8.8.8.8:53 74.193.254.162.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:443 dns.google udp
GB 216.58.204.67:443 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 123.35.104.34.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 ipv6check-udp.steamserver.net udp
US 8.8.8.8:53 api.steampowered.com udp
BE 104.68.92.92:443 api.steampowered.com tcp
US 8.8.8.8:53 ipv6check-http.steamserver.net udp
US 8.8.8.8:53 ext4-iad1.steamserver.net udp
US 162.254.192.87:27033 ext4-iad1.steamserver.net tcp
US 162.254.192.87:27024 ext4-iad1.steamserver.net tcp
US 8.8.8.8:53 ext2-iad1.steamserver.net udp
US 162.254.192.75:443 ext2-iad1.steamserver.net tcp
US 8.8.8.8:53 ext1-atl3.steamserver.net udp
US 162.254.199.163:27033 ext1-atl3.steamserver.net tcp
US 8.8.8.8:53 87.192.254.162.in-addr.arpa udp
US 8.8.8.8:53 75.192.254.162.in-addr.arpa udp
US 162.254.199.163:27023 ext1-atl3.steamserver.net tcp
US 8.8.8.8:53 ext2-atl3.steamserver.net udp
US 162.254.199.181:443 ext2-atl3.steamserver.net tcp
US 8.8.8.8:53 ext2-ord1.steamserver.net udp
US 162.254.193.74:27035 ext2-ord1.steamserver.net tcp
US 162.254.193.74:27022 ext2-ord1.steamserver.net tcp
US 8.8.8.8:53 ext1-sea1.steamserver.net udp
US 205.196.6.214:27019 ext1-sea1.steamserver.net tcp
US 162.254.193.74:443 ext2-ord1.steamserver.net tcp
US 8.8.8.8:53 214.6.196.205.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
GB 216.58.204.67:443 udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\R.exe

MD5 8dc3adf1c490211971c1e2325f1424d2
SHA1 4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256 bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512 ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

C:\Windows\SysWOW64\240601765.txt

MD5 70356d5d51becd8d4f27082b8f876465
SHA1 41c1a488680ef6526f5552f0f332357f3fc893a1
SHA256 ad72d2885bd337150279dc5f57424a353102811d710e31c1f4c054b5009b583f
SHA512 8e52a0c8df46b243cf06c25dcb30461837db772d6161221ee75f0af21af3748ac026c73c5e45084f7c8e42077ff9164b9f464e28bfaa23e85408611ab2dc9e00

C:\Users\Admin\AppData\Local\Temp\N.exe

MD5 4a36a48e58829c22381572b2040b6fe0
SHA1 f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA256 3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA512 5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

memory/960-19-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/960-17-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/960-23-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/960-20-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2956-26-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2956-28-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2956-29-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_3096ebbb0d335913e4dc83b4547bbe5cb63bb392031ae977b49e881330e015dd.exe

MD5 277bea32e72b3f297ba29ea26663646b
SHA1 00309eace95a503182580296fac27afdf4a10e56
SHA256 f2d3bed061e1a774b8920932034bf8111a78ce51afa4693046e3c48c7c53a1b4
SHA512 38eec3a7a4d81497e02c6f98be72ff9f0019d96f9791ec5f03ea665be1564ad88d0d1c6d67411455a2c777708761cf479997d642b2456c367b684a8bcfc5734b

memory/4512-39-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4512-42-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4512-44-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 fd8a556711d1e8e92248d05311bdf2d4
SHA1 046584b8ad26509e9ca2f8044fb41bbc5d5f9578
SHA256 e537888b762de7945aa2312ea421e96d3fdd35f87159416be3acbe39fbf9eccb
SHA512 56c1b4ba0cbbac944d8c91dafe728a82f5513bff3daf0ff27ce287e111d6bce5862d844a0704aa43932b3c76dd1b4092bf58734ac24b353f3d7310117683b317

C:\Windows\SysWOW64\Remote Data.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_

MD5 577b7286c7b05cecde9bea0a0d39740e
SHA1 144d97afe83738177a2dbe43994f14ec11e44b53
SHA256 983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824
SHA512 8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\icon_button_news_mousedown.tga_

MD5 00bf35778a90f9dfa68ce0d1a032d9b5
SHA1 de6a3d102de9a186e1585be14b49390dcb9605d6
SHA256 cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2
SHA512 342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

C:\Users\Admin\AppData\Local\Temp\package\tmp\resource\filter_clean_bulgarian.txt.gz_

MD5 836dd6b25a8902af48cd52738b675e4b
SHA1 449347c06a872bedf311046bca8d316bfba3830b
SHA256 6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64
SHA512 6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

C:\Users\Admin\AppData\Local\Temp\public\steambootstrapper_english.txt

MD5 da6cd2483ad8a21e8356e63d036df55b
SHA1 0e808a400facec559e6fbab960a7bdfaab4c6b04
SHA256 ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6
SHA512 06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

C:\Users\Admin\AppData\Local\Temp\crashhandler.dll

MD5 9734b8f1dbde2e34f012deaad3d0cd54
SHA1 ab2498ba3976fc5f1b1debf1861a49bb5d31458a
SHA256 b0878682d846a4a3d8b953f237304a43961fda731f063b39c01c95bada04a091
SHA512 7deb0cd1192111ae92f2b2c624ba23db4e5821d305b08e9839120a874c83cb2ca6c48bca85ec2b91300dcc0145472dbf54345c6b6457a84fc62ae9f635282f21

C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.manifest

MD5 c1b0eb2527f93eb50c9307c7992a6892
SHA1 2b208a9af9e0de3537bef137a7f2bed01c9d814b
SHA256 919e50219d0d8fcff77805d4029a77b8e71912ab05684dca287545de3835a288
SHA512 1c60d3a523d764a74ab35c5e9c4874291288c5570410f8c6e1c4ca8ed9149b001008ee0c361be4160f057bc725447aa94f9e3100ef7ebac9e29152d102190b37

C:\Users\Admin\AppData\Local\Temp\logs\bootstrap_log.txt

MD5 a1f564c1f20f00efc8329e2c0f9e0611
SHA1 c716e51eb4117aae4ebe07dae4684797a6579908
SHA256 ebf11d0d6e13c453e4d63d2ec2ecd96a81e4e6a855b803e95017bf39002d6af6
SHA512 818f7bdb1450faa20f4dfbd076d28988abde74d5d10713efd9be3abe763df5963e2c5b729480c4d8a48e20e03b4682886df5532aaa59a879e14a7cd678c49dbd

C:\Users\Admin\AppData\Local\Temp\aom.dll

MD5 d764264518e77cc546a5876c3bcebad4
SHA1 ea17d45b396fa193a851bfd345e2b2c20ad60e12
SHA256 e78492de0ab575add50b925bfd44216d224d09904a9b14c17087a92fdcbc15cd
SHA512 7cf132ea5254a55c08186ffcf5e47360ef5ddd57d03d7051171f6753b22e3925304d183c2037bfd320ad56c08e079f9b2c4640db8cb3dbd38ff500c7a39e997f

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-console-l1-1-0.dll

MD5 4cbad862a3ff6e7ac0f33a904d247536
SHA1 57ed831d8f3739aee41735fce679641862c36076
SHA256 32a70082cf3496745580c0e4b7d1bdbe925013300f0573ccef466e7a1915a51c
SHA512 355e5f5081588c2460b6c21818172eea17b18f6d94a958902db57a585409c8a2231a2666bc12548316a041bfce8a2eeeef2e4759a9e38900550b6a7c96d7ed2a

C:\Users\Admin\AppData\Local\Temp\bin\audio.dll

MD5 1f2d6a54ee20a1fc3e421f4617e11fee
SHA1 8faacf81b34ff7eb54c70520a15b53954ad27565
SHA256 8683b6868f2fa1f29aa4d800a11b8cf628cda3b3651575c147b1e51e89a19309
SHA512 4f52fa530755fd3dc775861f880729e9ca9a892408707e816d89f25f1ec03b17779945b3ebda228ca83a320c167523a9801afdcb526420b314df6861b9f97f06

C:\Users\Admin\AppData\Local\Temp\avif-16.dll

MD5 a09c5fa842fa4456a0b53b46f1050225
SHA1 9e4677f19e77bf55e7d0e2e82d8c27f79dbbd78e
SHA256 3d7ba6fedfdfd6e751693d718a21438304690b754d1c5d13c847a829b2423b8b
SHA512 71c962da6ed6894209891513bf9f0132a5eab6c65a5d9ba334efcaf73463be5625665a060863a106d59fad1949f6191f641aa4c59ddb0e825701bef08ef9b5a5

C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.installed

MD5 2e7a43d569c43a958b03da23d0951ad3
SHA1 58e257768573074380e479920c9c6dfc8052ea7a
SHA256 6ebb9c7979384493df39adc7360e623ddddc48fe4bd588a63db256b2e2884800
SHA512 9a31b517b251d40c20cda4460fba71b7f327c7931f507b1641d5b20c704d4484575bd4cb83be3bd2dd9f60bc5fbda5b0a8e50701996bff42a41ccea9b6fbc3db

C:\Users\Admin\AppData\Local\Temp\package\steam_client_metrics.bin

MD5 f71cc8a518d1c9bd77d56bbe77c3a632
SHA1 f1456ed26d3f245e88b6a7ea0254c2f815a38dba
SHA256 abff2786436bb4c9ba8e6d22871b3541da9d7627d0e18d9292887b91056c3df5
SHA512 0379ae41363ae245048fe20b10359cc29be023dc20a76ea58c1f1e8f2c23f7b4c6e0954c9e5cecdd2827f02a0dcb82bc385a40e30d51e870bc4d2eea0fe5fb57

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-stdio-l1-1-0.dll

MD5 977d803ac9d935b15fbb8d96f920bf3b
SHA1 558ae5c0bb4daa27e4e97a0e07a729c379777181
SHA256 509e51146b6a3e77b82cb786e17d4d52e398064446c469a45ad0c087ac5df270
SHA512 03237327bc1e9534c9d82671938d3f019be7785f8727772d901cf03a3175b0118d6952c32ce49bd2b12160077e997e41ff140b848199bbf24051d5299a6ad74c

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-runtime-l1-1-0.dll

MD5 af184e36ef33584a5af2e23ce8d90c91
SHA1 5b518eb0bb17d45e5c7e2cb3ae16d5cf981a54ce
SHA256 b350748aa75d4f06e11c228161e1e94019b38aab9f5b59ca84db27acac00442d
SHA512 4190753f181c24592839bc52427ef65237ee8ed21c58d04dc9d5d4c52f0f9a00bc98443e1608ea665cf0fbf9dbec5b9be7c1d174c687b0ef8c47541605b2bff0

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-process-l1-1-0.dll

MD5 39cd364433575b3811f032005c229e5c
SHA1 6f8789d3191cd227375395b3d47837cc21d2baa0
SHA256 17394645fbccf060d02902c9aa9522626383437c1dd83554e3ac564e50f62716
SHA512 0fc2e80f5656624c2bdd7d847a4eba23cff81e47313d97da09ef76e9287ca96cbc60809232417957cd2c3078b87f8da353ba11c62a37df3a2d17369cd8d7ddec

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-private-l1-1-0.dll

MD5 9a786144e410dfa13579eb73a375d918
SHA1 811d783ea1d4b799e6ad51ec5720fa9e9b60f158
SHA256 c9dd515e999f64af123f396d3deddc49012011060c843e5edb4223345143b0c5
SHA512 3877ebbfc62ea741f77ac1ef04e969855af17ccaa2e3df9a18895b794ac6a3dc2bb4ebb8b46aae5cfc5bc032741f3dcb8a6df8631bf169ef7457b13c8b277620

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 d099dba2a0c6e5a6e53bd09c4d09a23d
SHA1 e925991619eefffbef71fef5374cb4f29c0c046f
SHA256 3b6f668eaa9efcdb8b36d57747666fe76aa4f3b7873ae83bece0099f105bc145
SHA512 0c73c00a134895bbc563676f9314ab2190fed2db9b02d5c9500b0f735dcd37b46c262920550eb6959324499dc9d0337fde731e1221f8d1185023737401d51745

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-math-l1-1-0.dll

MD5 8f8dbf4eafbef6a3c488bfca1529e06d
SHA1 a8c916c20326aa6960e46608daaa39fe09fa8138
SHA256 f1d44a0a83fa84f5fc9a05008f57174930d42db834ddadb3e9df7650042961fc
SHA512 ebcff256e4f9a6035a02b05dd6ba6d1c652151d76a5b553495925b692496c18663677dbf39a7d7827af9d13cdb81c4064d9e21b0fc0123a65e0432736192c3e4

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-locale-l1-1-0.dll

MD5 74add032773802678bbfec4d07c2f95a
SHA1 f30cd5da7d9768696d0d57cde1ba7141804ffb0d
SHA256 f55be8b606d5715e54cb795b822aa295c4e0e92170359fedf0f72c1fe07057f1
SHA512 7f2e74a2d158588aff68ea5a23237f5a08d75ee1dfc72c2b8ba4c1a172cfa826eb71ed3dafe524dc6ca4eb4d96e2d1fffc6a39e85caff5aeb3925af761623da9

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-heap-l1-1-0.dll

MD5 295a7f69076e8e789860bb3d566caa0c
SHA1 4d7ee1025ac08ce85f95c620949f9af9a0b8ad3d
SHA256 516dc0852025a741cf5cfc6be3e4ad791d4a5aa692fa35498ba7b5f146d54a1e
SHA512 959d1171c77a0c7267d69737c781c0e66cd9f513a6267e8e5c986677aaec4facae8e024bdd0a3a6ed4905df116e5d80f706d51da0a3cf26cafda2b13bcd86c14

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 d2b88081e89aa26e825b04c15ed158e4
SHA1 3d6073d8ca42ef7fd671856cbe7eec20bd78da23
SHA256 9da16f7fb466e63a5ccc24eb7ee95a80ed4216e925545a59fd6fb5d7236211f3
SHA512 4544ee07592758723947b039e7f4712c0658ef40942355e3424838aab6382c110366c9013cbd042a605bfca73b6535cedcd146db8a6e850bdb5a50f4132135a5

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-environment-l1-1-0.dll

MD5 c1da1a8ee38c89a989b8a892edf48099
SHA1 0a65c36944a2c2e210d96ca394f5065dae34f665
SHA256 f2d19e04a9fe1a382fe5c492501236a0cadc9f106036af8496a8f24457a3feb2
SHA512 085acf718846bed78e73908481aa61b3bc64ff8dd7117baa556a535b5f32d304a2f6d20cae06b0c43ecb5c934bcff4758095a0638aac428a98036e91d3047908

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-convert-l1-1-0.dll

MD5 75f7dd0261c0a7e89abe0971a6f7fad1
SHA1 a657010c0896034178caac01093430a9b550745b
SHA256 d8f04afab237a0177bc3062c6508c57f884c23013985d3c48af26b7c25028949
SHA512 07960af507910ed1366feb86487b3eb0d942f638eaeba85e1fb1bcf1dba09359c95ca93488cde969259b7e0b78df8a418e62848f49f40d3cceb8cd5f52bd5760

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-conio-l1-1-0.dll

MD5 09a4172deab1aab62c3eabfe126b2cd1
SHA1 5ecfb94c505258be83a471a22979f7f85960bb02
SHA256 56fb8c7b7d12814ab0f5fc2eb69dfe98c3e9d00dc554a5e00f2ffdf9fc8728d8
SHA512 e31adafece4e16a76e1cb54d92d82edf441e5c5e3a9c8c68d63bda6f9014705b3a9eee4502bb492b09e3384029878ebb28b82e5c9caf95f8fcae8347aba6dadf

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-util-l1-1-0.dll

MD5 27262395d098572d6babe49373d357cf
SHA1 b6c3bcecc99ad8d03a4b8672422a5aa5199eb297
SHA256 8b2197d96a4a01465e0062d5854a940232734123536ebd3c4f4116efae772688
SHA512 42e1b4ae70cd97a50b6459ba0f9375de0e1586930c8b9cc12884794de1da905fc7d766811785a98f81f13dc77cf8ba6aaa5ad8592cab4a5b873df9027fbccc82

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-timezone-l1-1-0.dll

MD5 b4bfb5cd23ca6f9ef9dfd43f70e8bba7
SHA1 2ad09fc7c204d74b4c3c67710a72e10b699d7345
SHA256 e3d05dd8f99995cb289b3f86eaaadd99a0b1ca2e12f0a0db22feec335a938111
SHA512 023d892f449f578c68074a77b46f7fabc4688a276fb0ced6b1eb6c91037f296776e2ddfd81e71c4f8976285b2e1d5d35bad2fe0ee93ff661b78d45fd34cdf476

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 d2716cd25fd6ac67580982c8efb5629a
SHA1 199c6b5208331881e9425904e345feaf1af45b82
SHA256 329149e3a2360b9e4231ebae9fc3c467d3c560195fc3bc5d2fd31c6a5fd65da5
SHA512 cfca74a6b909bb7d1e20487c4c3bb8e20e9970b49b14fe9d693c5b75fc4b83d8dcfa4ac085fc8db4ed76382266c934939b4e41a70d4ec5308fd8c7f065ccd95a

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-synch-l1-2-0.dll

MD5 747bedc394cb41b6a0e1b94b6ea8693e
SHA1 e6388ae7dcd0df0396e6cfabe65be85789bf72db
SHA256 ac30c50dc71795c7e0419389f15bf7676718e23f4b786da2ccd4103f24198656
SHA512 15814d5a904fd9d8fba2eb451b27c0f15d892afe98edca36e3adf55fd2df5d516012eb104035aaff0885c5dacc784c44a1f2df3f8a59324483bcb86c8b213bf0

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-synch-l1-1-0.dll

MD5 94eb94712d2eca213b446f17c62380f3
SHA1 90a32ddb5c5c3e8757670ebc75ffc237de12f2bc
SHA256 902ae18339560e5142c87f97e9574864b518a0ca4572298b418acadecd8ac6ad
SHA512 a9d68a3f68532f8b3e698ad6aa7303ad9c5fb838bd61444f415e20537c76f463d849d3b458f5fdd8f133e46083a3dff93ec6bf48d77495beea27ce342b1f84dc

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-string-l1-1-0.dll

MD5 6e55ff194d5bc03a8ebe89c7b237e10e
SHA1 fec152c0e14bdcee73ce234be9b5bb1608b85fd1
SHA256 9f3a2d40be41b0c47fb03df21c4f7e4120cbb348553b642c5c80b92c64b3b357
SHA512 18d8353f171a34e29674dcbff59f4db7e74857c3bb2155215d4179c7c94be7d85d43552f256b002d0e72fcfc3f9d9c4999ae83bf4599c4e68c808419e1618d8a

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 189af34aa567cd8ca0d18c1dededd39a
SHA1 0f6d013f294b267a0aa082ec3d422cf7eec2ba96
SHA256 bb2576e861a0c507db9ab2a29577803d7258eff03e52dc5f36faa51249c892d2
SHA512 e294e462cde5f099f2b3b6ac14b3771ada2ca1ec26ef485712698a98e5f4c4298a4ffed2e8cb99dfb096adf48e368ef50f30d7a5652a67fa16b250c7653d8580

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-profile-l1-1-0.dll

MD5 724d2fe0b0268b30e7db9a7488f2b306
SHA1 6cccc9bab72e205f18bb5485619dd3ccfe58202e
SHA256 074a6052a889456895d4eb8d592088b1d3858d3f6cecb884c528e74400710079
SHA512 37e6f1ddb7d57aea23da10d13a3690740babbd3634d2966a3377c59248e75982a7fe2ed5197c1ba97d7d77906235c87d78067a3430c6d45dc8a4e5fa4d7e6409

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processthreads-l1-1-1.dll

MD5 2da80fbfb025423ba529e0ed5d396caa
SHA1 94eddff83c93411c0fb48101177b238f2cbabdb6
SHA256 a074cc02be4cfa314ddd7223c288b1a71fe74143c3229c7cd30fb309419d7aa6
SHA512 c23e38776c826f1f2c9bec5ba2b0fd0366d1afdb06b805749814472a362f0fffaa5231bd678af17ecd7640333c5af4f2607d976521f649053ea3d24c8e7e9c9d

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processthreads-l1-1-0.dll

MD5 fbb8d74d5ca41920f285ed9d4634d501
SHA1 b1157ff444075b76bc3533b036793bda4afd96e4
SHA256 7748f69d1f67fb4afa2ebb9712687d0b9235346d35909fee80dd5cb776ce7638
SHA512 a7d6ca4666eeedc5c4bb3db07919c4d08efa67638d0cbde7cbaaa5f40a59f2c61745fc129e882d47a39a561ea78aa7ff309286921945d940ef26d121bc865cf1

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 3d9d3eaad4d1f94fd099877e3c3574ee
SHA1 3dc985619b35e8d8bda17bbffe3fb9d73c697998
SHA256 0986c9945e4db6c7e5bf42556f28ae54afafe5d991573590bffb9c494deaebdb
SHA512 5fa46bbd7eb1df2f5c233c70f5a4adc316b24e1de7e91c608d52f537a1ffa6d5cc8b1b4c6b4880b33acefb8236d7676ef50527b737ac23be968e5bdbdcd2f368

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 38949794f4b5ed88fc604583ae0c9b1a
SHA1 ffe2baaa0dcf56b56a726e314795e70d23149fe5
SHA256 2dcec9017298d32b92223c0b9125ecf15cf330973414b3e181a9dbbbd74145d4
SHA512 001f460d03b71f52cda97f5305b15c5fc40c1abe8c6deb429ecbd15d06a4ed26f7bc8cc491629cea14492cf13e22c1817312978b6095ee06b1592004a361818f

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-memory-l1-1-0.dll

MD5 c5c07cce6b571f4d566fbb2dfcfb009f
SHA1 4379f23072f145b3c31631faebba76321713e454
SHA256 dfcea447a3436a3b36287becb215633e73760de7d1df88dd24ce0f998aadf597
SHA512 d7d53c04459d373659056ed8535982ad6c558cac6239e9fef51074e8479b8777eb2dbdbf63678868f5902b6414a446b46d9d9acb9d70f3bd3dba5cba9512d982

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-localization-l1-2-0.dll

MD5 b20db974fdaf13d7a6c518c8cc4d124e
SHA1 3939b029019a583c3a65ae0e3bc2926f0889cc11
SHA256 c7253d57e123911ca6a0cdc8c74f103fc048399224393e97bf5a2a993cc13fdc
SHA512 5dde8bc5f30b69c98eec6d4d279bf1b1747ae119b8ddf8e96515d503c7937154e74bb88d7a01ebcb2b15b0f3fc2e74344c8f0df7add45af944028e3b3cba8245

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 f51c295b1f6d6845be84a53ac650e0bc
SHA1 edf0d80ea2c7de134af5d1da1f07f7cd33d9d972
SHA256 6d85722c07e91050b89692e647c8c9c6fec8c39a998286e0084a4a20619d956e
SHA512 f84224a40bf12cc61ee47607fb3d367135205d7f26667de6ac930e7fda064d8322c0279fe2d67da92d8e017b9ede8a14ff26c050c35347112052e9fa840c5c3e

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-interlocked-l1-1-0.dll

MD5 64350026ead6e66e58759314ab2b2c8d
SHA1 e81696c0cdd81af0af47c696806e745283538c94
SHA256 f30dff7c389fc5143475a99945eaf9f2e36f2f50709e256c990b10459e32b8be
SHA512 6f55429adaa2107680c9d67a15b8094346b5bf295603ec7b2cbde7698d1e1f18436b6b2303b08b83f0177c77f877a33c16cd88cad13681616c0f9c3d751eb7bc

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-heap-l1-1-0.dll

MD5 1b292e0f2b2d1a67d2032b5414c280a7
SHA1 3f42ab6ad2c6fc52d11d677c1287c58bee3d0a37
SHA256 60fa39cc05a21ce16a8651331445da1dd0e5e6c0194de819b4fa6a245f517396
SHA512 b9f6da412491d9919cb8a33483147c608d30cfa9651f326aceb96c85cf5163dd85a434ed8421cbe9a6d355df650564252cbae46a4b340459bb3d30f616e244ed

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-handle-l1-1-0.dll

MD5 a6c34ff1ecc9abc954922c5e569d7912
SHA1 910709fc703f559d37ea6d7d75ee13b62cbb4290
SHA256 b71658e60bfa69f0bbcafbc8df40b118e9fc5df747e2069db0ac18b66aaab818
SHA512 c0612a7cfe143c22d9945e287a4be0378b808e974a845ba762bbff028080eb6149bf5451d1f7aa0c2cea74499b82007dc730ad51b0b2db4b0f8fc11c03f8e20d

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l2-1-0.dll

MD5 b3a3f902a5fe7b70c988aebd0e523d53
SHA1 6fb07024c76cd0c4e07c3d0efa088b74998d59b1
SHA256 61365671b9fccbc10c06ccc0d4c8875dd98ca51e8d3eb77e91069b1bd11e4a96
SHA512 3bc057781870932f9703561bed8f786af9306a6a237582551edd12220e95521b8433a507ce702fa929654e930d0cba976eb0fc72fbe567d44620232e18390ce9

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l1-2-0.dll

MD5 2bfcd1d1b70eef1a10c939a4eeab5403
SHA1 12656ee086124eaf205a9eb470a78bc5e3d2512e
SHA256 b0919c80eb88d5d6aeb7a6eb42344f40ebf6bf0914a45045d9606e2469f15132
SHA512 9143ffd7e00f4168f78f72e9e08e6a901ffc57a1bdc07531d73f0d4fc59ae2a114d939bf2a60313ac34aa835e6c297168f255685cbd795c748fe9c8906d2215c

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l1-1-0.dll

MD5 d218fcedc1bee50c45f4e786c6d60564
SHA1 c4371579afbfae000e5b9a0ce07472be17badc9f
SHA256 13266c9674e9c663252ff2dc1a014a86cbaa42801d210f408269bd1dff681440
SHA512 efc30d116515ee000084db671a4c2d68551035b5512e7117c3c53d6ceb2b0418ee2ccdb5f76fa267be48e37d21a950e20423f95fc4e1c4d2c9e5fb47b692c882

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-fibers-l1-1-0.dll

MD5 b72dcda47e269f98aa6998df1b27b3e5
SHA1 8a68318787497d2ed4ee6d981de825c874bcb603
SHA256 b9aefe9709a17fcaf8b85168c68f42e2b57f8214e7456a82c74495b815dc5bfe
SHA512 17b00481db67db8bf8f07035c760eb7adff65d59c532711d918bb1f2bbdbb6230cd0c583f3418102b80b6a085d45d3e3efe9a641e7dfa821c8a18505e9bb1420

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 649e3b7d4b114213383aebd2dda0308d
SHA1 ba1ba5acb362cbab817c5e1a3126d6ebf600740b
SHA256 b15dd0c332b261d62a0b37b8981980a15e47b4682e6985e26f155a85f19e1466
SHA512 e667462ba457d44982337edda451a5d78eb4b6eab2e6a696ca333bdcd6688873e2c50b45e464e333ecf9f5b07dc35412bc746ff187b99e8139f9b8ef0456849c

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-debug-l1-1-0.dll

MD5 df9e90a38a99d1f609ba721a3d329195
SHA1 ad8859c5ec7f591800c0d4b6453eb10167ae142d
SHA256 ba17d3a66e3df85fbf8b82b500f1360f8598cd48a814fda3e552cdd995e6f449
SHA512 e41ba10d2c679754627c348232bd8124a01eceedfe30c88b6f7ed257895a7b59e5149d448a68415c4d2cc1a5c2c32a575f032b764a14a2330d62f08ccb87de85

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-datetime-l1-1-0.dll

MD5 e763390e8aebf15cb2b9b5b8c9cc4e9e
SHA1 0f9f6544903700fa26c8892ff7e4881c56238282
SHA256 5963b1cdb894ce297e52844741047f74f8d86fa7e97437e26d9bc8f0094e1003
SHA512 4c8089029c0d97ef1a1570dc47a8eda08f2071332521cdb54b5b52786d078c19bf0324fa43b9d1c49b942f8eedf7a6dab606b25a3913a80f6c8d7bb97d28a768

C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-console-l1-2-0.dll

MD5 f9bf7d30ea5a945b77910a06151ff620
SHA1 3158c9ab3fd9b6fed40e77abe39eb53234151977
SHA256 b4ff5467266a4f8e5d8998525a8948b8b86d51a23c2f4f7023c505c8db341802
SHA512 07e01ebde7c80fa3937f2169da9dc496f0a5efbbbc9c305e7772e28e334906054c14747fe10cca0ac1f1f275d95a08801ae7c44ca1cbddae1c1e008bf428d1a4

memory/14148-12259-0x00007FFAFEA40000-0x00007FFAFEA41000-memory.dmp

memory/14148-12260-0x00007FFAFDA30000-0x00007FFAFDA31000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

memory/13384-12314-0x000000006ED40000-0x00000000700B9000-memory.dmp

memory/14148-12323-0x00000258FDB80000-0x00000258FDC2C000-memory.dmp

memory/14148-12324-0x00000258FDC30000-0x00000258FDCDD000-memory.dmp

memory/14236-12326-0x0000015756BC0000-0x0000015756C6D000-memory.dmp

memory/14236-12325-0x0000015756B10000-0x0000015756BBC000-memory.dmp

memory/13384-12329-0x000000006ED40000-0x00000000700B9000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

MD5 e554aa0cb643bfec516f60c5649781f5
SHA1 c3e72ee265351eb1793b89628d431a575921c7e6
SHA256 11fb760eee9875d5a89a31ea811a27e441803913ca7f4b2592ddfa29188677b8
SHA512 baeeb117decc384db88a045207df87758dbbc75c70a8e6d19e44acdc401ca6d84e6030bce732084e1c5fb714fad090b22b90cd239fa6642d7df2ba10d8598788

C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index~RFe586a7d.TMP

MD5 d6c372f8969335a9b348e651b3f240ec
SHA1 d53cc5b5cd8d3123ed089dc20d906e1142d83728
SHA256 ef9f84004763d78f54f3274db9f4e8f1b234fa201bad11e64dd0e863631ec786
SHA512 95933cceede9e85c1c179f639c10ca32fcc9795ac26531c517f16f179bd8022f317c70ec4c5ef0f7e68bb329ca912fe2345e1ac576f903c2ae53a16540bed41a

memory/13384-12345-0x000000006ED40000-0x00000000700B9000-memory.dmp

memory/14148-12351-0x00000258FDB80000-0x00000258FDC2C000-memory.dmp

memory/13384-12350-0x000000006ED40000-0x00000000700B9000-memory.dmp

memory/13384-12357-0x000000006ED40000-0x00000000700B9000-memory.dmp

memory/13384-12363-0x000000006ED40000-0x00000000700B9000-memory.dmp

memory/13384-12368-0x000000006ED40000-0x00000000700B9000-memory.dmp

C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

MD5 9ab8fdf3d4043e5c5a1bbe48692303c0
SHA1 e5f470c94013dc0695c95017314fa10644879fd6
SHA256 14d14878ea9f7d8830f4d26bf54acaf66823ca434c34e519668f78e4856c0d2f
SHA512 0bfdea4f90bc34c07af71c3332f3c1bae0742a854d5ca67e6252d5b9505a0255b58227065caf1d1c749d1c6eb3207f867c11bb92b4f3cb412f767735fba57597

C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json~RFe592699.TMP

MD5 f77f781a89f12f32f4c6549d1c4899fc
SHA1 2ca86492bab6446e75dbd5032a0be935e9839814
SHA256 061e2a69cea459fb718e9733d9dd248d4d25bfa7e0aced7fb7d7d2a321065421
SHA512 be64b8a1a89fcc163899d38289b259462dedba976bb8826d66fa154e5fb504bb50b8be687c14eb9be923fa5796de1b3384207d523172dbc535492f4b0d55e77b

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

MD5 46f24bdb07aee373908a1b1b07603196
SHA1 8b3423ab3537a0bce78b6e88d45175254b3dbbb2
SHA256 e67bcd4af6ba5b14211a8122a56065820f7db1890a316ba9562744747f06e530
SHA512 2e1daa935d4e38569056142d37f74ce21bfcbb6685cb01ccf6944dd467aa41dac35d96fea59dabf5e9aaf727e2ad6e213128bdfc7eef6eb2a1c2ae75fa490706

C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe593965.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/13384-12401-0x000000006ED40000-0x00000000700B9000-memory.dmp

C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping13632_1110950427\manifest.json

MD5 2648d437c53db54b3ebd00e64852687e
SHA1 66cfe157f4c8e17bfda15325abfef40ec6d49608
SHA256 68a3d7cb10f3001f40bc583b7fff0183895a61d3bd1b7a1c34e602df6f0f8806
SHA512 86d5c3129bec156b17b8ebd5dec5a6258e10cb426b84dd3e4af85c9c2cd7ebf4faea01fd10dd906a18ea1042394c3f41a835eae2d83dc8146dfe4b6d71147828

C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping13632_1110950427\LICENSE

MD5 f6719687bed7403612eaed0b191eb4a9
SHA1 dd03919750e45507743bd089a659e8efcefa7af1
SHA256 afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59
SHA512 dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

memory/15516-12441-0x000001445D790000-0x000001445D83C000-memory.dmp