036128ca60c543609bf2c6c362e2f909c85f1760d4a8d6b07c55b73d36d9df0b

Resubmissions

14/08/2024, 12:35

240814-pshrpssdpb 8

14/08/2024, 12:23

240814-pkklbssamh 8

Analysis

max time kernel
518s
max time network
427s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamtoolsSetup.exe
Size

1.7MB
MD5

dd410c316152077eb8a683ed981fc787
SHA1

360b90cd99dd9ead20b21e50c73a3d0fe10123c1
SHA256

036128ca60c543609bf2c6c362e2f909c85f1760d4a8d6b07c55b73d36d9df0b
SHA512

81f4dceebe93a89b239076937df31bf28542b23ed8e383ca9b30cbdcd89b3d8683fc8fff9c78d74c1ced281e766cb852b54b6c5b5640b6cb0224b66c747d8657
SSDEEP

24576:nkcCSfG0yWS7woCNAi1GoCaLI4/gPGHOV1VVW4Qn652aPOrjB9:kcCSe0yT7wooAi1GhWI4oPGHOVVWvcC

Score

8^/10

steam defense_evasion discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1644	SteamSetup.exe
2128	steamservice.exe
1804	steam.exe

Loads dropped DLL 8 IoCs

pid	Process
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Detected potential entity reuse from brand steam.
phishing steam

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\resources_all.zip.vz.3c8b3203e5c69d75ea0684c2409b86fe4d0d6f83_2856188	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Common Files\Steam\steamservice.exe	steamservice.exe
File created	C:\Program Files (x86)\Steam\package\public_all.zip.vz.aa9ecccb35e9a29e3145d96f63e00eb525aa9b93_23521009	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\bins_misc_win32.zip.vz.115bcc9d9de122c32d8d720978aab0d2b57cbd2e_10645799	steam.exe
File created	C:\Program Files (x86)\Steam\package\bins_codecs_win32.zip.vz.c5ee0d04a6e0bff812ccb807811ce984d9dbf693_5122896	steam.exe
File created	C:\Program Files (x86)\Steam\package\steam_win32_steamrow.zip.vz.0c900feaff67dd296050ededdae18ab319ca334d_1809836	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_korean.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\logs\bootstrap_log.txt	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\strings_all.zip.vz.3b383251b8bf5cca5bd408c9d2864bc078e6d5b2_1993958	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\bins_webhelpers_win32_win7.zip.vz.af12407e0ddd4eea45ef705331bc35c32ed0047c_2604192	steam.exe
File created	C:\Program Files (x86)\Steam\package\steamui_websrc_movies_all.zip.4d2183b0476852dfb695b8d70192a0ccece8c7d0	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt	SteamSetup.exe
File opened for modification	C:\Program Files (x86)\Steam\bin\service_log.txt	steamservice.exe
File created	C:\Program Files (x86)\Steam\uninstall.exe	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\.writable	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\bins_webhelpers_win32_win7-64.zip.vz.d2b3e24420958c08bdff94f70e7fa0d569dd3034_2963951	steam.exe
File created	C:\Program Files (x86)\Steam\Steam.exe	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\steamui_websrc_all.zip.vz.7b666afe4d12b1a9b193967ac8a2dbeb4a06b790_28121480	steam.exe
File created	C:\Program Files (x86)\Steam\package\bins_win32.zip.vz.a3c65f0c11becd42062797eb2ac1b1cdfb73f95f_28543227	steam.exe
File created	C:\Program Files (x86)\Steam\package\steam_client_metrics.bin	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\resources_misc_all.zip.vz.e86a975545f3ab21a77373870cb311ef93934b8c_2224876	steam.exe
File created	C:\Program Files (x86)\Steam\package\tenfoot_images_all.zip.vz.193cb8c4eb4446698ea2c0a9e8c4e6b6a623dac7_5572671	steam.exe
File created	C:\Program Files (x86)\Steam\package\steam_client_win32	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\strings_en_all.zip.8ebfe5f184cbfe30df39a3dde48e35ccbe8f2da9	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt	SteamSetup.exe
File opened for modification	C:\Program Files (x86)\Steam\.crash	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_indonesian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\steamui_websrc_sounds_all.zip.vz.a2b25775b33d943e54c45d176558de379111ef5f_3220470	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt	SteamSetup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Steam\steamservice.exe	steamservice.exe
File created	C:\Program Files (x86)\Steam\package\resources_hidpi_all.zip.vz.3de815c3117712cb9eeb7ea4c8b275faf481dcfd_56342	steam.exe
File created	C:\Program Files (x86)\Steam\package\bins_cef_win32_win7-64.zip.vz.c308082fc6607db19b09865ecf9a98af66ba6aea_88974404	steam.exe
File created	C:\Program Files (x86)\Steam\package\bins_cef_win32_win7.zip.vz.5376139cd5567f2b1e3e8bf6214e993d3e25dea3_84311635	steam.exe
File created	C:\Program Files (x86)\Steam\bin\SteamService.exe	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt	SteamSetup.exe
File opened for modification	C:\Program Files (x86)\Steam\logs\bootstrap_log.txt	steam.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	steam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	steam.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe
1644	SteamSetup.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	firefox.exe
Token: SeDebugPrivilege	1692	firefox.exe
Token: SeDebugPrivilege	1644	SteamSetup.exe
Token: SeDebugPrivilege	1644	SteamSetup.exe
Token: SeDebugPrivilege	1644	SteamSetup.exe
Token: SeDebugPrivilege	1644	SteamSetup.exe
Token: SeDebugPrivilege	1644	SteamSetup.exe
Token: SeSecurityPrivilege	2128	steamservice.exe
Token: SeSecurityPrivilege	2128	steamservice.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1692	firefox.exe
1692	firefox.exe
1692	firefox.exe
1692	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1692	firefox.exe
1692	firefox.exe
1692	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1692	firefox.exe
1692	firefox.exe
1692	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 1692	568	firefox.exe	33
PID 568 wrote to memory of 1692	568	firefox.exe	33
PID 568 wrote to memory of 1692	568	firefox.exe	33
PID 568 wrote to memory of 1692	568	firefox.exe	33
PID 568 wrote to memory of 1692	568	firefox.exe	33
PID 568 wrote to memory of 1692	568	firefox.exe	33
PID 568 wrote to memory of 1692	568	firefox.exe	33
PID 568 wrote to memory of 1692	568	firefox.exe	33
PID 568 wrote to memory of 1692	568	firefox.exe	33
PID 568 wrote to memory of 1692	568	firefox.exe	33
PID 568 wrote to memory of 1692	568	firefox.exe	33
PID 568 wrote to memory of 1692	568	firefox.exe	33
PID 1692 wrote to memory of 2832	1692	firefox.exe	34
PID 1692 wrote to memory of 2832	1692	firefox.exe	34
PID 1692 wrote to memory of 2832	1692	firefox.exe	34
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 2740	1692	firefox.exe	35
PID 1692 wrote to memory of 668	1692	firefox.exe	36
PID 1692 wrote to memory of 668	1692	firefox.exe	36
PID 1692 wrote to memory of 668	1692	firefox.exe	36
PID 1692 wrote to memory of 668	1692	firefox.exe	36
PID 1692 wrote to memory of 668	1692	firefox.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:2596

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:568
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.0.1387090804\1035766348" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae5add74-c5e1-4bfd-8788-e8073628fa71} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 1292 11bbb858 gpu
    3⤵
    PID:2832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.1.112788225\1686778830" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f752ef6-a6dc-4fa2-878d-b2a1ae231220} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 1496 d72258 socket
    3⤵
    - Checks processor information in registry
    PID:2740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.2.859437701\1436279676" -childID 1 -isForBrowser -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d53450b5-51cd-4c9d-b06a-e45dde61099e} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 2100 11b65458 tab
    3⤵
    PID:668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.3.401181613\158898676" -childID 2 -isForBrowser -prefsHandle 2724 -prefMapHandle 2720 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0af927e9-c517-4272-b746-74d5fadfea20} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 2736 1c485258 tab
    3⤵
    PID:1224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.4.1624189647\36363451" -childID 3 -isForBrowser -prefsHandle 2864 -prefMapHandle 2860 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49cac9cd-61f7-498b-9bf2-ea491d0f1add} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 2876 1c424558 tab
    3⤵
    PID:1232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.5.737352331\127292420" -childID 4 -isForBrowser -prefsHandle 1108 -prefMapHandle 3544 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3859565-0b2f-422c-b2e2-f38ae1a1d81f} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 3852 1f46d258 tab
    3⤵
    PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.6.370048382\1624595022" -childID 5 -isForBrowser -prefsHandle 3964 -prefMapHandle 3968 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5ae8b4-1971-4310-be1c-df262cbeb909} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 3956 1f46e458 tab
    3⤵
    PID:2440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.7.1447378442\654024852" -childID 6 -isForBrowser -prefsHandle 4156 -prefMapHandle 4160 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19dbddbd-fdb8-4624-ae75-aa19b24576ee} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 4148 1f470858 tab
    3⤵
    PID:3012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.8.1827461750\560531035" -childID 7 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cff191b4-82f3-46bc-a64a-0abc3c40525e} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 3520 22351558 tab
    3⤵
    PID:1604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1692.9.1835345064\422195617" -parentBuildID 20221007134813 -prefsHandle 3152 -prefMapHandle 3156 -prefsLen 26356 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf692f5c-5765-4751-9de1-4e6db11eddae} 1692 "\\.\pipe\gecko-crash-server-pipe.1692" 2980 2257ce58 rdd
    3⤵
    PID:1752
- - C:\Users\Admin\Downloads\SteamSetup.exe
    "C:\Users\Admin\Downloads\SteamSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
  - - C:\Program Files (x86)\Steam\bin\steamservice.exe
      "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:2128

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
0340d1a0bbdb8f3017d2326f4e351e0a

SHA1
90d078e9f732794db5b0ffeb781a1f2ed2966139

SHA256
0fcd7ae491b467858f2a8745c5ecdd55451399778c2119517ee686d1f264b544

SHA512
9d23e020875ed35825169a6542512ec2ffdb349472a12eb1e59ddc635e57c8fd65fa919873821e35c755aa7d027c9a62d3d0fa617340449d7b2c4cf8dd707e93

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
4c81277a127e3d65fb5065f518ffe9c2

SHA1
253264b9b56e5bac0714d5be6cade09ae74c2a3a

SHA256
76a6bd74194efd819d33802decdfddaae893069d7000e44944dda05022cfa6d9

SHA512
be077b61f3b6d56a1f4d24957deaf18d2dff699bda6569604aac4f1edb57c3cfd0abc5e2a67809f72e31a90b4aed0813536c153886da2099376964c60e56001a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
2158881817b9163bf0fd4724d549aed4

SHA1
c500f2e8f47a11129114ee4f19524aee8fecc502

SHA256
650a265dffdc5dc50200bb82d56f416a3a423eecc08c962cfd1ba2d40a1ff3f7

SHA512
f3594aad9d6c50254f690c903f078a5b7a58c33bd418abdad711ebb74cfbdb5564679593e08fb2d4378faaf4160d45e3d276ba1aa8a174ed77a5791bcac46f28

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
da6cd2483ad8a21e8356e63d036df55b

SHA1
0e808a400facec559e6fbab960a7bdfaab4c6b04

SHA256
ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

SHA512
06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
9e62fc923c65bfc3f40aaf6ec4fd1010

SHA1
8f76faff18bd64696683c2a7a04d16aac1ef7e61

SHA256
8ff0f3cbdf28102ff037b9cda90590e4b66e1e654b90f9aea2cd5364494d02b7

SHA512
c8ff15373b37e848e6239a82424569e77c82a5fc557d17e7d2ed1d0d2b2f7d026cc1e2bc98cb5ee945c02cfefb82803c23fa6a26f48ff0adcf762f94cd5dd035

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
10c429eb58b4274af6b6ef08f376d46c

SHA1
af1e049ddb9f875c609b0f9a38651fc1867b50d3

SHA256
a1f6ba57ee41e009d904905c0ce5e75a59ee6790e08542561303109e1faafa13

SHA512
d8760f61760bffd8671b727d386ae220e7e6e68829a01553cfd5eb60ef8bd1d7c1b25e7b17a6db5bd17ba6712ef44999726764459318e784843c73bc4facaf46

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
5c026fd6072a7c5cf31c75818cddedec

SHA1
341aa1df1d034e6f0a7dff88d37c9f11a716cae6

SHA256
0828572e4fa00c186dbf1d9072a6154d65cb499c6a37e338f3305f77a2fee382

SHA512
f9d28714b2a05f8d9025f1692e4d7e8baa6daf6176353f65646a38814a242ef2adededa44419edd69f10cf96ffba506dab7cb6e52111457bf69cffef12174b12

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
189ba063d1481528cbd6e0c4afc3abaa

SHA1
40bdd169fcc59928c69eea74fd7e057096b33092

SHA256
c0a7a1df442ac080668762df795c72aa322e9d415c41bd0a4c676a4dc0551695

SHA512
ce59ad9b17bab4de1254e92ce4fe7d8c8242832f62ab382e8f54199a9932cd11b5800cc33895441426373d5210cc74104e0271b721a7e26ed400b716ae4d5903

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_indonesian.txt

Filesize
4KB

MD5
1514d082b672b372cdfb8dd85c3437f1

SHA1
336a01192edb76ae6501d6974b3b6f0c05ea223a

SHA256
3b3c5c615fd82070cc951ab482d3de8cb12df0b3df59fbd11f9d3271fa2fbca4

SHA512
4d41c945ce7c94746875b0dbceb14811d4966de4e97fe047406a304162fde7e1e2a16367fc2e43978e2e5aa66749f036b4444aa2312673c2cc3af296e8b77f55

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt

Filesize
4KB

MD5
202b825d0ef72096b82db255c4e747fa

SHA1
3a3265e5bbaa1d1b774195a3858f29cea75c9e75

SHA256
3d1399f5323a3ece1b1a8b3b31f8fd7f50c3bd319ab3f1c38c6e347452c95314

SHA512
e8fc7cc09f431301d22a07b238179ee053505090e3c4db30ead061513fe7159f1fe8b80efc93f4597fe00f01087bbe0bb2231e13693d72c8def138657cb91566

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt

Filesize
4KB

MD5
7913f3f33839e3af9e10455df69866c2

SHA1
15fa957d0a6a2717027f5b35f4dbe5e0ab8ece25

SHA256
05bc1f4973c6d36002ac1b37ce46b1f941fcb4338282e0ec1ec83fb558d1a88c

SHA512
534e541757d19ee157a268bf7ea358b48015f400542fcfa49cdb547cd652926160f015fe2cf026d9c4996e56ab90ca3899dfd457997d915bf6bc9d7bb00ba804

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt

Filesize
4KB

MD5
58e0fcbee3cca4ef61b97928cfe89535

SHA1
1297e3af3ca9e4fe3cc5db78ebbfa642e8a2c57b

SHA256
c084a68b65d507eb831831aa2ab9afb9536cb99a840d248cc155ff87fad18425

SHA512
99aff0c481e34cd0e4fcbb2af471afb56d91aa11be664462b08e17ae169ca03ef77e7063b4ecd0f38ca7b2f6dc0bf2e316c7b31dffbbcfc763cd8fae27dc78d2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt

Filesize
4KB

MD5
9b0b0e82f753cc115d87c7199885ad1b

SHA1
5743a4ab58684c1f154f84895d87f000b4e98021

SHA256
0bdeee9fa28d54d384e06ea646fbcfe3f06698a31dfdc1a50703ffe83ad78d32

SHA512
b7780b82fbe705bc8e5a527c011eb685c99ef0b2eb810617b9f82b891341af95ef1c2f46dce9e458c0c4dcc3e7a0d21db6c77f03419cd1c4b521a9b72f9017df

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt

Filesize
4KB

MD5
eb8926608c5933f05a3f0090e551b15d

SHA1
a1012904d440c0e74dad336eac8793ac110f78f8

SHA256
2ed2b0d654d60e0a82b0968a91d568b775144e9d92f2b077b6da75f85ad12d04

SHA512
9113c42c38836f71ff0cc7019aff8c873845f47fbf1ab97e981cb038f4d8495b6df784402b1ee9666e8e567ae866b0284c81e6a16efb47131d5ef88569c4843a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt

Filesize
4KB

MD5
6367f43ea3780c4ee166454f5936b1a8

SHA1
027a2c24c8320458c49cd78053f586cb4d94ee6f

SHA256
f8d1972e75a320344e3c834ba0a3a6a86edb39e20ef706bda9b7965d440d1998

SHA512
31aab33e0d272cb43a8c160b3d37256716a683e5052192fd0e4d3cdaf30a10a9afa9d26d5d14ad216ee455627c32892a711d2bc137ee7a7df9a297f001a19e32

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt

Filesize
6KB

MD5
e04ad6c236b6c61fc53e2cb57ced87e8

SHA1
e9d4846b7e6cc755ee14a5d3fa45ee7d3bf425a4

SHA256
08c775efa77c2a92d369f794882e467b6e2526e61bc7aa7724f48e174524502e

SHA512
0dfb7e6d811d649103499018f3d115c542fcaba420ceb69124a4d837fe162ce514e7be2040860c5ef5f9c01c961fa6eea8730606b73ec107d87597989b6fd331

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt

Filesize
4KB

MD5
56dcf7b68f70826262a6ffaffe6b1c49

SHA1
12e4272ba0e4eabc610670cdc6941f942da1eb6a

SHA256
948cad1bb27109e008f2457248880c759d3fa98b92c5b4033b94f455cb8ac43f

SHA512
c3fd9caf0bd4c303a7cc300faada9cfe6dd752e82d67625b31f4c0c2c091596508bb477fe19f758fdf79b25b8ac3f5320a8785d2b6705b9bcc28a054a59454e2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt

Filesize
4KB

MD5
66456d2b1085446a9f2dbd9e4632754b

SHA1
8da6248b57e5c2970d853b8d21373772a34b1c28

SHA256
c4f821a4903c4e7faea2931c7fb1cf261eba06a9840c78fdca689f5c784c06c4

SHA512
196c2282ba13715709ece706c9219fe70c05dd295840082e7d901b9e5592e74b1bb556782181cdbe35bd1ab0d6197fef67258b09491fabc6f27606dbed667d49

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt

Filesize
4KB

MD5
b2248784049e1af0c690be2af13a4ef3

SHA1
aec7461fa46b7f6d00ff308aa9d19c39b934c595

SHA256
4bf6b25bf5b18e13b04db6ed2e5ed635eb844fc52baa892f530194d9471f5690

SHA512
f5cee6bba20a4d05473971f7f87a36990e88a44b2855c7655b77f48f223219978d91bcd02d320c7e6c2ec368234e1d0201be85b5626ef4909e047e416e1a066c

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt

Filesize
4KB

MD5
194a73f900a3283da4caa6c09fefcb08

SHA1
a7a8005ca77b9f5d9791cb66fcdf6579763b2abb

SHA256
5e4f2de5ee98d5d76f5d76fb925417d6668fba08e89f7240f923f3378e3e66f6

SHA512
25842535c165d48f4cf4fa7fd06818ec5585cc3719eff933f5776a842713d7adb5667c3b9b1a122a1152450e797535fc7a8e97ebdd31c14b4d4900a33ede01f3

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt

Filesize
7KB

MD5
53f7e8ac1affb04bf132c2ca818eb01e

SHA1
bffc3e111761e4dc514c6398a07ffce8555697f6

SHA256
488294b7faff720dc3ab5a72e0607761484c678b96d6bcd6aad9ee2388356a83

SHA512
c2e79c2505a6fd075df113ffce92ad42c146424ca39087601daa4ed15a2b5528d478a093921d9d8a738c7b6b963275a0693ebe526b6e2135d14ced03639d0e70

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt

Filesize
4KB

MD5
29f9a5ab4adfae371bf980b82de2cb57

SHA1
6f7ef52a09b99868dd7230f513630ffe473eddf8

SHA256
711675edb20b3cb70acf6cf75f2eea8e0d87c8ace3e11c8df362b4517427a34f

SHA512
543fe63f791250e05e8fda24fd2ceadebb4c8925e8927de49ae490895c87eed3e61a9ad50237532649f99fe3165836261de215ee3f66ffbfc6d677ddeea7732a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt

Filesize
6KB

MD5
cadd7a2f359b22580bdd6281ea23744d

SHA1
e82e790a7561d0908aee8e3b1af97823e147f88b

SHA256
3dd0edfbe68236e668fb308f92fe7c6493dbb05bfca85a48de93588f479ccc99

SHA512
53672dd13e6ccbe96f6d4a61297c595b6d6cba8de92caa51ccf8ab1d8a82eea5a425eab348f295b9ec27de0026ef849d9230f751a46e040be8863923f91b8519

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt

Filesize
4KB

MD5
f350c8747d77777f456037184af9212c

SHA1
753d8c260b852a299df76c4f215b0d2215f6a723

SHA256
15b6a564e05857a3d2fd6eec85a5a30c491a7553d15ffc025156b3665b919185

SHA512
efb86809a0b357b4fcd3ba2770c97d225d0f4d9fb7430c515e847c3dd77ee109def4bef11b650b9773c17050e618008fc03377638c1db3393ac780b5b0bc31b2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
49KB

MD5
77c33d419ca58d7fbe25ce9a4e12d2fc

SHA1
69dd2cad1dade9b02ceee8d1f691a31b4879abc7

SHA256
7315b2c8d32d56c57961e2232fdaf86caf4d4719e462e871a3c561006fad6e6d

SHA512
2d3916014f9dd7931ad1da1f0d4e1bd15f4c55d80108929ea9c49ea07ff10b2e88d0ba5ed38b0f3d62c2108a123accef53a4997611e5b4909d81026be702b5fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\doomed\16728

Filesize
23KB

MD5
e8b85b618d34683ec481094789df31d2

SHA1
83ceb21316ba1006e5c54905cd2ae313331d067a

SHA256
76fe896d474df9f28b52ab1ef7e2fc780f5c72271531d58173ca55642ad5cb89

SHA512
aefbcf9ad290959318682994e773fe55a4ee0d8a3df8b2dd0e42c42a20aa174886f6361e19e94c5731880c503a5f961f0d63efbe42f547ef9517e44f8294b063

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\cache2\doomed\18386

Filesize
10KB

MD5
8fae3a0ccadbf59c2d63cf7c4fb52a02

SHA1
53106e2815bd84be7e8bbd69d8cf005501ac5e38

SHA256
e36402d9ea19f7dfac1c9735742de490db70766b1f5f4225e88d235730369840

SHA512
fa970883cc221d26a4e9a12bf7d32d0cc980d692ddf04bbb84e0e4c55a5da49c133ea077e939f91f3157603ee89c3347f74d9ed4649c00800c30f1e063d73fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFB90.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB93.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1151.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
e8b7a158d46edf5bfdc9cc3bc85d1732

SHA1
aa93fb8a65a279c4ef6d16e0641f7819f25632ff

SHA256
243a4a5e3cc75e96ca8649a4f6031de7298b6474c5b1e6b7ebc81cc1f577e0d3

SHA512
5a26f4ac927d5860ef65cd9f90c6c824ce66abe326637f0d6e44f3a5955aa78790a7b1b63185388baa4325a96762de5ce1b6ab8dc5ed4da6174ed725886778ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\pending_pings\4f837647-9f36-481b-a8da-6c9f55763944

Filesize
745B

MD5
7a63a24dd1a0bc697b8a01bbd04ab1ff

SHA1
d4bd778e83620df45e0ab6ab4977064cb09ee843

SHA256
b719a1ad0715ac101a9ab241644aea70fc7fc43ad46cdcb70de86c881edbe3a2

SHA512
6d97105f311759357b2fe7b96f5b32efd61e0519d51a78187c6a07165bc6f507970f8b4123637883d63324987eff58a7ba28af543e8a8473715512cf625a1681

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\pending_pings\8dc8cbd0-58b1-47c8-8d3e-02455912cad8

Filesize
11KB

MD5
ac3e012b181a7841c5e36607d3e799b4

SHA1
171c62e04fe2449e9a604aa8167caf426e63d33d

SHA256
ff182d1dd52bdaf4613b0b18fc00a43c48b3fa51ddfd4ff6e1c39da26474b038

SHA512
64a64a3a8a5e10ca326bc7529e543962fd7239e823a3b888b9b910e06a0431ab897ab34631aabd237144633d467d4fb41d1e2135955bccb8a5fa4645d5f89dca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs-1.js

Filesize
7KB

MD5
412be39dcb7c4d86ddd817c4d17e4fa4

SHA1
c173242e208c26481451ead11f8e57b47b0dc5d6

SHA256
633d6f7ef61b0a7b08403ae6a3170a2219a93b1afcd7c143715a94c7bceda586

SHA512
b9f03bedb7bedf4e606d5be4d149062b4dcfbcde153b952b928836d1409d0db77d26f3418ebf226c6494cdca48b5b90579b79e5b5453a906deaa8d5091e8f248

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs-1.js

Filesize
6KB

MD5
9ba93499326f7ed267f5ae2c4c17cf3e

SHA1
f37c9fa3ea65bae3bedb19f8c792b77ea43c96bd

SHA256
18081085a0a7971048943eb35fb907f4ab51fedcc89c0c0ec5e7fecb656a7af4

SHA512
c3e889a831b892fa03b0e071145781b54c984ffff410e8450b41908a4ea262018b508cd75acc799ac444ed533e122e787a8dc062740fcf0947378eab8ebedeaf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs.js

Filesize
7KB

MD5
74417afbfe2937240db688115eb0e19b

SHA1
0881b247095dbd79443746d444699be0c2cdcf57

SHA256
b38711dabceb7815ea32794ab9afef05379edb76c549fdb937cd70ef602ef6f1

SHA512
ed5812345b047faa6a6dea86d3fcd80cf9c8a5c02daeb0b64ac519d4eab9cdb4f8ed7c8622262b6726bd1bc5f4f9c33960c3623d3ec0919eb40b90f9d2098d02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
2134f899234b3f8f2cf8fe0ee68bf0ff

SHA1
250e65f9b9c161847af20af53566f13cffbd8de8

SHA256
21bf6c72094adb8e404144eb1d929f598942cfdf329e2aecc5d6efb0671be4d6

SHA512
d2f8c9e5f5376433d270790089bd0a6856d3d21d970b51624679f7064b3c6fe2ab5244ac00cb57eb84a194a1a105b712a9b8f53e7b03d56822af673adf48fc1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
42KB

MD5
682f06da114b278fed3ed0964f8c5cac

SHA1
bca0d453d3a83e6a88c28c2c8cae6d96bf5d748f

SHA256
a36d5d1572153e25dce97e8f38df4821d31b867886341b4e7e44f4103ff7aa45

SHA512
29a40c42f729313118e2f4556be8eb9b244e753304cabf6b09f6416f4a77362697e614babc690813242aed2d550e491ca733b32fa41d1ead5f8ff2809bfc8c34

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore.jsonlz4

Filesize
43KB

MD5
6fc38fc49bfb048c2d5ee88887f6d31e

SHA1
724feace4984f235bda96b26559772158abce335

SHA256
5760768b89dfd14f4fd7401c1c1099a6bf550c8daa1f6cf12af9d3588083219d

SHA512
33b79bb69373edf018d72cfc30342da4e8d0917503a5de4415b5591214c1d150eb4dcb9602efe4b353ba8117ec55932f9de22808f929a18a91950a483d0e55e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
a7acb9d1c47c2213d651d12b09172441

SHA1
3adee2feedd684867b9fd9fe33f4b170fb4e0a00

SHA256
b73f15a27ce1de90e9352677f54a08927af545fda080cd265a1d90b96424a816

SHA512
87cd7788c31a7b396a76cd54383d9917d681f9972aeae2ec042b21e8dcf175fe1c881afe49fc4724c90138e65cd32e43c2aefd1b34a78dcf60a7cc056e1ff187

Download Submit
C:\Users\Admin\Downloads\SteamSetup.J45z7e6h.exe.part

Filesize
50KB

MD5
9262b4e913c901ba2a37dcd31e385c9e

SHA1
42cec7852c85a42da1e485631762c20e30ea004f

SHA256
64f396ecb88277ce4cedbe34e0dac8ed7a55271d2d81ae9fbb67c5144064b774

SHA512
ca41fece7b80fa9ec0bacbb36edc08d70d12757b42a376054e1e854729b260fa175b3925ff77ef40a832c22141acd2c68e98cbf89f01839beb6e57f90153bcdf

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Users\Public\Desktop\Steam.lnk

Filesize
970B

MD5
aea19c3931b5a52789bff648afa761ed

SHA1
6cbb5d830663014acef903aecd0404a3e859b339

SHA256
0af026dec35d1505351080324d9b626ce4be5e81e258976f57797faa6e653a15

SHA512
72110b27abcf2f4b2fa8a25876bc46f06a781ebc83ec8fa182312421b512226486dd268d0ade6c48c15a277fa81f0ccad401751a18733a36f061bbdd392a5376

Download Submit
\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.5MB

MD5
ba0ea9249da4ab8f62432617489ae5a6

SHA1
d8873c5dcb6e128c39cf0c423b502821343659a7

SHA256
ce177dc8cf42513ff819c7b8597c7be290f9e98632a34ecd868dc76003421f0d

SHA512
52958d55b03e1ddc69afc2f1a02f7813199e4b3bf114514c438ab4d10d5ca83b865ba6090550951c0a43b666c6728304009572212444a27a3f5184663f4b0b8b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1151.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1151.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1151.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1151.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1151.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
memory/1644-800-0x00000000004F0000-0x00000000004F2000-memory.dmp

Filesize
8KB

Download