036128ca60c543609bf2c6c362e2f909c85f1760d4a8d6b07c55b73d36d9df0b

Resubmissions

14/08/2024, 12:35

240814-pshrpssdpb 8

14/08/2024, 12:23

240814-pkklbssamh 8

Analysis

max time kernel
598s
max time network
587s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14/08/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SteamtoolsSetup.exe
Size

1.7MB
MD5

dd410c316152077eb8a683ed981fc787
SHA1

360b90cd99dd9ead20b21e50c73a3d0fe10123c1
SHA256

036128ca60c543609bf2c6c362e2f909c85f1760d4a8d6b07c55b73d36d9df0b
SHA512

81f4dceebe93a89b239076937df31bf28542b23ed8e383ca9b30cbdcd89b3d8683fc8fff9c78d74c1ced281e766cb852b54b6c5b5640b6cb0224b66c747d8657
SSDEEP

24576:nkcCSfG0yWS7woCNAi1GoCaLI4/gPGHOV1VVW4Qn652aPOrjB9:kcCSe0yT7wooAi1GhWI4oPGHOVVWvcC

Score

8^/10

steam defense_evasion discovery phishing

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3844	SteamSetup.exe

Loads dropped DLL 5 IoCs

pid	Process
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe

Detected potential entity reuse from brand steam.
phishing steam

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\bin\SteamService.exe	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_korean.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_indonesian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\Steam.exe	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt	SteamSetup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe
3844	SteamSetup.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	988	firefox.exe
Token: SeDebugPrivilege	988	firefox.exe
Token: SeDebugPrivilege	988	firefox.exe
Token: SeDebugPrivilege	988	firefox.exe
Token: SeDebugPrivilege	988	firefox.exe
Token: SeDebugPrivilege	988	firefox.exe
Token: SeDebugPrivilege	3844	SteamSetup.exe
Token: SeDebugPrivilege	3844	SteamSetup.exe
Token: SeDebugPrivilege	3844	SteamSetup.exe
Token: SeDebugPrivilege	3844	SteamSetup.exe
Token: SeDebugPrivilege	3844	SteamSetup.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
988	firefox.exe
988	firefox.exe
988	firefox.exe
988	firefox.exe
3360	MiniSearchHost.exe
3844	SteamSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 988	2724	firefox.exe	86
PID 2724 wrote to memory of 988	2724	firefox.exe	86
PID 2724 wrote to memory of 988	2724	firefox.exe	86
PID 2724 wrote to memory of 988	2724	firefox.exe	86
PID 2724 wrote to memory of 988	2724	firefox.exe	86
PID 2724 wrote to memory of 988	2724	firefox.exe	86
PID 2724 wrote to memory of 988	2724	firefox.exe	86
PID 2724 wrote to memory of 988	2724	firefox.exe	86
PID 2724 wrote to memory of 988	2724	firefox.exe	86
PID 2724 wrote to memory of 988	2724	firefox.exe	86
PID 2724 wrote to memory of 988	2724	firefox.exe	86
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 744	988	firefox.exe	87
PID 988 wrote to memory of 1196	988	firefox.exe	88
PID 988 wrote to memory of 1196	988	firefox.exe	88
PID 988 wrote to memory of 1196	988	firefox.exe	88
PID 988 wrote to memory of 1196	988	firefox.exe	88
PID 988 wrote to memory of 1196	988	firefox.exe	88
PID 988 wrote to memory of 1196	988	firefox.exe	88
PID 988 wrote to memory of 1196	988	firefox.exe	88
PID 988 wrote to memory of 1196	988	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SteamtoolsSetup.exe"
1⤵
PID:4772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d4336df-f4b4-4b66-a6aa-242afd859c3f} 988 "\\.\pipe\gecko-crash-server-pipe.988" gpu
    3⤵
    PID:744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 23636 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4d4703a-e838-4cc6-9d6a-7afb51ae2981} 988 "\\.\pipe\gecko-crash-server-pipe.988" socket
    3⤵
    PID:1196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3096 -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3084 -prefsLen 23777 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {623f92ed-a543-4c2d-8cf5-7468958b29bc} 988 "\\.\pipe\gecko-crash-server-pipe.988" tab
    3⤵
    PID:3292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2756 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 2728 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7cacb6f-6b96-477a-95c0-6f7a0ebc50d4} 988 "\\.\pipe\gecko-crash-server-pipe.988" tab
    3⤵
    PID:3328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4748 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4772 -prefMapHandle 4760 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7700478-8460-4319-826a-106f54b735b5} 988 "\\.\pipe\gecko-crash-server-pipe.988" utility
    3⤵
    - Checks processor information in registry
    PID:2700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 3 -isForBrowser -prefsHandle 5336 -prefMapHandle 5332 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b053efe4-4316-4261-97f5-e38c51c4cd00} 988 "\\.\pipe\gecko-crash-server-pipe.988" tab
    3⤵
    PID:4320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5432 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5700cfc-a85f-4714-bde2-efaf92cf0a8e} 988 "\\.\pipe\gecko-crash-server-pipe.988" tab
    3⤵
    PID:4620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04f7204f-daeb-4130-bd50-af3af5ffed37} 988 "\\.\pipe\gecko-crash-server-pipe.988" tab
    3⤵
    PID:3500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6036 -childID 6 -isForBrowser -prefsHandle 6044 -prefMapHandle 6048 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df1d22b1-33a4-41c7-8dd5-b793738f74fe} 988 "\\.\pipe\gecko-crash-server-pipe.988" tab
    3⤵
    PID:1264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6364 -parentBuildID 20240401114208 -prefsHandle 6348 -prefMapHandle 6352 -prefsLen 29117 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cfa5957-a065-4626-a2be-dea900a83f42} 988 "\\.\pipe\gecko-crash-server-pipe.988" rdd
    3⤵
    PID:1884
- - C:\Users\Admin\Downloads\SteamSetup.exe
    "C:\Users\Admin\Downloads\SteamSetup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3844
  - - C:\Program Files (x86)\Steam\bin\steamservice.exe
      "C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
      4⤵
      PID:1532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7200 -childID 7 -isForBrowser -prefsHandle 5572 -prefMapHandle 7368 -prefsLen 28315 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85648459-9530-4661-be5e-d2ecded5d84b} 988 "\\.\pipe\gecko-crash-server-pipe.988" tab
    3⤵
    PID:4420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7376 -childID 8 -isForBrowser -prefsHandle 5464 -prefMapHandle 5476 -prefsLen 28315 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d5aee7f-f9e6-46b0-9b73-a0bc8bd675db} 988 "\\.\pipe\gecko-crash-server-pipe.988" tab
    3⤵
    PID:2412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 9 -isForBrowser -prefsHandle 5472 -prefMapHandle 5636 -prefsLen 28315 -prefMapSize 244628 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0268a95-ca46-478f-aafd-b15bb0396d91} 988 "\\.\pipe\gecko-crash-server-pipe.988" tab
    3⤵
    PID:1852

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3360

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
1.7MB

MD5
b466f2eac52b18aea17e979d68fc6b0a

SHA1
81a352380d8606d7a6e42310b5b7f6cc7c89215e

SHA256
1172084181df6d1adb3b04fccf741058fbb995e24b0eb39cd570bd2d6887b183

SHA512
56cd660fd25664905faa06a6be3ce8217d85a794a0c6e80d020c3d8082c06519dfa12f3fceb7e98fd1d6bd405caba6624c449f70ff4b9d2d6cf4595f528ecd4f

Download Submit
C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.5MB

MD5
ba0ea9249da4ab8f62432617489ae5a6

SHA1
d8873c5dcb6e128c39cf0c423b502821343659a7

SHA256
ce177dc8cf42513ff819c7b8597c7be290f9e98632a34ecd868dc76003421f0d

SHA512
52958d55b03e1ddc69afc2f1a02f7813199e4b3bf114514c438ab4d10d5ca83b865ba6090550951c0a43b666c6728304009572212444a27a3f5184663f4b0b8b

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
0340d1a0bbdb8f3017d2326f4e351e0a

SHA1
90d078e9f732794db5b0ffeb781a1f2ed2966139

SHA256
0fcd7ae491b467858f2a8745c5ecdd55451399778c2119517ee686d1f264b544

SHA512
9d23e020875ed35825169a6542512ec2ffdb349472a12eb1e59ddc635e57c8fd65fa919873821e35c755aa7d027c9a62d3d0fa617340449d7b2c4cf8dd707e93

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
4c81277a127e3d65fb5065f518ffe9c2

SHA1
253264b9b56e5bac0714d5be6cade09ae74c2a3a

SHA256
76a6bd74194efd819d33802decdfddaae893069d7000e44944dda05022cfa6d9

SHA512
be077b61f3b6d56a1f4d24957deaf18d2dff699bda6569604aac4f1edb57c3cfd0abc5e2a67809f72e31a90b4aed0813536c153886da2099376964c60e56001a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
2158881817b9163bf0fd4724d549aed4

SHA1
c500f2e8f47a11129114ee4f19524aee8fecc502

SHA256
650a265dffdc5dc50200bb82d56f416a3a423eecc08c962cfd1ba2d40a1ff3f7

SHA512
f3594aad9d6c50254f690c903f078a5b7a58c33bd418abdad711ebb74cfbdb5564679593e08fb2d4378faaf4160d45e3d276ba1aa8a174ed77a5791bcac46f28

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
da6cd2483ad8a21e8356e63d036df55b

SHA1
0e808a400facec559e6fbab960a7bdfaab4c6b04

SHA256
ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

SHA512
06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
9e62fc923c65bfc3f40aaf6ec4fd1010

SHA1
8f76faff18bd64696683c2a7a04d16aac1ef7e61

SHA256
8ff0f3cbdf28102ff037b9cda90590e4b66e1e654b90f9aea2cd5364494d02b7

SHA512
c8ff15373b37e848e6239a82424569e77c82a5fc557d17e7d2ed1d0d2b2f7d026cc1e2bc98cb5ee945c02cfefb82803c23fa6a26f48ff0adcf762f94cd5dd035

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
10c429eb58b4274af6b6ef08f376d46c

SHA1
af1e049ddb9f875c609b0f9a38651fc1867b50d3

SHA256
a1f6ba57ee41e009d904905c0ce5e75a59ee6790e08542561303109e1faafa13

SHA512
d8760f61760bffd8671b727d386ae220e7e6e68829a01553cfd5eb60ef8bd1d7c1b25e7b17a6db5bd17ba6712ef44999726764459318e784843c73bc4facaf46

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
5c026fd6072a7c5cf31c75818cddedec

SHA1
341aa1df1d034e6f0a7dff88d37c9f11a716cae6

SHA256
0828572e4fa00c186dbf1d9072a6154d65cb499c6a37e338f3305f77a2fee382

SHA512
f9d28714b2a05f8d9025f1692e4d7e8baa6daf6176353f65646a38814a242ef2adededa44419edd69f10cf96ffba506dab7cb6e52111457bf69cffef12174b12

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
189ba063d1481528cbd6e0c4afc3abaa

SHA1
40bdd169fcc59928c69eea74fd7e057096b33092

SHA256
c0a7a1df442ac080668762df795c72aa322e9d415c41bd0a4c676a4dc0551695

SHA512
ce59ad9b17bab4de1254e92ce4fe7d8c8242832f62ab382e8f54199a9932cd11b5800cc33895441426373d5210cc74104e0271b721a7e26ed400b716ae4d5903

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_indonesian.txt

Filesize
4KB

MD5
1514d082b672b372cdfb8dd85c3437f1

SHA1
336a01192edb76ae6501d6974b3b6f0c05ea223a

SHA256
3b3c5c615fd82070cc951ab482d3de8cb12df0b3df59fbd11f9d3271fa2fbca4

SHA512
4d41c945ce7c94746875b0dbceb14811d4966de4e97fe047406a304162fde7e1e2a16367fc2e43978e2e5aa66749f036b4444aa2312673c2cc3af296e8b77f55

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt

Filesize
4KB

MD5
202b825d0ef72096b82db255c4e747fa

SHA1
3a3265e5bbaa1d1b774195a3858f29cea75c9e75

SHA256
3d1399f5323a3ece1b1a8b3b31f8fd7f50c3bd319ab3f1c38c6e347452c95314

SHA512
e8fc7cc09f431301d22a07b238179ee053505090e3c4db30ead061513fe7159f1fe8b80efc93f4597fe00f01087bbe0bb2231e13693d72c8def138657cb91566

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt

Filesize
4KB

MD5
7913f3f33839e3af9e10455df69866c2

SHA1
15fa957d0a6a2717027f5b35f4dbe5e0ab8ece25

SHA256
05bc1f4973c6d36002ac1b37ce46b1f941fcb4338282e0ec1ec83fb558d1a88c

SHA512
534e541757d19ee157a268bf7ea358b48015f400542fcfa49cdb547cd652926160f015fe2cf026d9c4996e56ab90ca3899dfd457997d915bf6bc9d7bb00ba804

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt

Filesize
4KB

MD5
58e0fcbee3cca4ef61b97928cfe89535

SHA1
1297e3af3ca9e4fe3cc5db78ebbfa642e8a2c57b

SHA256
c084a68b65d507eb831831aa2ab9afb9536cb99a840d248cc155ff87fad18425

SHA512
99aff0c481e34cd0e4fcbb2af471afb56d91aa11be664462b08e17ae169ca03ef77e7063b4ecd0f38ca7b2f6dc0bf2e316c7b31dffbbcfc763cd8fae27dc78d2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt

Filesize
4KB

MD5
9b0b0e82f753cc115d87c7199885ad1b

SHA1
5743a4ab58684c1f154f84895d87f000b4e98021

SHA256
0bdeee9fa28d54d384e06ea646fbcfe3f06698a31dfdc1a50703ffe83ad78d32

SHA512
b7780b82fbe705bc8e5a527c011eb685c99ef0b2eb810617b9f82b891341af95ef1c2f46dce9e458c0c4dcc3e7a0d21db6c77f03419cd1c4b521a9b72f9017df

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt

Filesize
4KB

MD5
eb8926608c5933f05a3f0090e551b15d

SHA1
a1012904d440c0e74dad336eac8793ac110f78f8

SHA256
2ed2b0d654d60e0a82b0968a91d568b775144e9d92f2b077b6da75f85ad12d04

SHA512
9113c42c38836f71ff0cc7019aff8c873845f47fbf1ab97e981cb038f4d8495b6df784402b1ee9666e8e567ae866b0284c81e6a16efb47131d5ef88569c4843a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt

Filesize
4KB

MD5
6367f43ea3780c4ee166454f5936b1a8

SHA1
027a2c24c8320458c49cd78053f586cb4d94ee6f

SHA256
f8d1972e75a320344e3c834ba0a3a6a86edb39e20ef706bda9b7965d440d1998

SHA512
31aab33e0d272cb43a8c160b3d37256716a683e5052192fd0e4d3cdaf30a10a9afa9d26d5d14ad216ee455627c32892a711d2bc137ee7a7df9a297f001a19e32

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt

Filesize
6KB

MD5
e04ad6c236b6c61fc53e2cb57ced87e8

SHA1
e9d4846b7e6cc755ee14a5d3fa45ee7d3bf425a4

SHA256
08c775efa77c2a92d369f794882e467b6e2526e61bc7aa7724f48e174524502e

SHA512
0dfb7e6d811d649103499018f3d115c542fcaba420ceb69124a4d837fe162ce514e7be2040860c5ef5f9c01c961fa6eea8730606b73ec107d87597989b6fd331

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt

Filesize
4KB

MD5
56dcf7b68f70826262a6ffaffe6b1c49

SHA1
12e4272ba0e4eabc610670cdc6941f942da1eb6a

SHA256
948cad1bb27109e008f2457248880c759d3fa98b92c5b4033b94f455cb8ac43f

SHA512
c3fd9caf0bd4c303a7cc300faada9cfe6dd752e82d67625b31f4c0c2c091596508bb477fe19f758fdf79b25b8ac3f5320a8785d2b6705b9bcc28a054a59454e2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt

Filesize
4KB

MD5
66456d2b1085446a9f2dbd9e4632754b

SHA1
8da6248b57e5c2970d853b8d21373772a34b1c28

SHA256
c4f821a4903c4e7faea2931c7fb1cf261eba06a9840c78fdca689f5c784c06c4

SHA512
196c2282ba13715709ece706c9219fe70c05dd295840082e7d901b9e5592e74b1bb556782181cdbe35bd1ab0d6197fef67258b09491fabc6f27606dbed667d49

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt

Filesize
4KB

MD5
b2248784049e1af0c690be2af13a4ef3

SHA1
aec7461fa46b7f6d00ff308aa9d19c39b934c595

SHA256
4bf6b25bf5b18e13b04db6ed2e5ed635eb844fc52baa892f530194d9471f5690

SHA512
f5cee6bba20a4d05473971f7f87a36990e88a44b2855c7655b77f48f223219978d91bcd02d320c7e6c2ec368234e1d0201be85b5626ef4909e047e416e1a066c

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt

Filesize
4KB

MD5
194a73f900a3283da4caa6c09fefcb08

SHA1
a7a8005ca77b9f5d9791cb66fcdf6579763b2abb

SHA256
5e4f2de5ee98d5d76f5d76fb925417d6668fba08e89f7240f923f3378e3e66f6

SHA512
25842535c165d48f4cf4fa7fd06818ec5585cc3719eff933f5776a842713d7adb5667c3b9b1a122a1152450e797535fc7a8e97ebdd31c14b4d4900a33ede01f3

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt

Filesize
7KB

MD5
53f7e8ac1affb04bf132c2ca818eb01e

SHA1
bffc3e111761e4dc514c6398a07ffce8555697f6

SHA256
488294b7faff720dc3ab5a72e0607761484c678b96d6bcd6aad9ee2388356a83

SHA512
c2e79c2505a6fd075df113ffce92ad42c146424ca39087601daa4ed15a2b5528d478a093921d9d8a738c7b6b963275a0693ebe526b6e2135d14ced03639d0e70

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt

Filesize
4KB

MD5
29f9a5ab4adfae371bf980b82de2cb57

SHA1
6f7ef52a09b99868dd7230f513630ffe473eddf8

SHA256
711675edb20b3cb70acf6cf75f2eea8e0d87c8ace3e11c8df362b4517427a34f

SHA512
543fe63f791250e05e8fda24fd2ceadebb4c8925e8927de49ae490895c87eed3e61a9ad50237532649f99fe3165836261de215ee3f66ffbfc6d677ddeea7732a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt

Filesize
6KB

MD5
cadd7a2f359b22580bdd6281ea23744d

SHA1
e82e790a7561d0908aee8e3b1af97823e147f88b

SHA256
3dd0edfbe68236e668fb308f92fe7c6493dbb05bfca85a48de93588f479ccc99

SHA512
53672dd13e6ccbe96f6d4a61297c595b6d6cba8de92caa51ccf8ab1d8a82eea5a425eab348f295b9ec27de0026ef849d9230f751a46e040be8863923f91b8519

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt

Filesize
4KB

MD5
f350c8747d77777f456037184af9212c

SHA1
753d8c260b852a299df76c4f215b0d2215f6a723

SHA256
15b6a564e05857a3d2fd6eec85a5a30c491a7553d15ffc025156b3665b919185

SHA512
efb86809a0b357b4fcd3ba2770c97d225d0f4d9fb7430c515e847c3dd77ee109def4bef11b650b9773c17050e618008fc03377638c1db3393ac780b5b0bc31b2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json

Filesize
42KB

MD5
573877bd2f83fe4fcc21faaff7190bc2

SHA1
aec4b2d20d10e8380f65123cdd867dddf957192c

SHA256
7a0729388a28df0234db38f0801cce9e0ce30f487516fdf56718976e8bc7aff5

SHA512
4ad80980b9ad3e0e506f49d9317ce3b58e0b2a409997896a16fd3e5b16e05dacb773974ab1cba8e619ded4af2741cd5b4c5ad1ba0df47a8fbb857ff44cf61318

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\thumbnails\ed53caf86590c90709c915abb9a23292.png

Filesize
95KB

MD5
eb113e292ff5a7597dad8b4ace68f1bb

SHA1
3ab98f1d1caafa6861ea4756d1e0393541d3238f

SHA256
d262b3fd41dca5b2123036dcfe8b6af31c4b9b752f2f245033486cff87d8a4ef

SHA512
2dfebaf0d414a2e462d98b9b0fe15fd601d822aa80c06af64350acf2f8a6c92b5c6455e481547b305082d5ee23e95025ba4b9219e9f24183af4e29ffa93b497f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a7f391566ceb7d310b04c1376aa66a07

SHA1
eda88e9134d3de209152481c9e8aa02054d4c2eb

SHA256
8ecb81fa22792fa6bb09abc86b9b5afb50773e2c5537def45dd8ba297f6c714e

SHA512
163bad20eaa9108286367367e6a54a9ac612026954ee2466b8f88f732a992695fe160d3fb5f092976ef15c1c1b71400e577a9a4833dfa616d7c9ee6a8237033c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm1192.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm1192.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm1192.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm1192.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm1192.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9HBH8VVNMN5FNR2SSDKS.temp

Filesize
13KB

MD5
f877705e0cf750ab92db8a81c049833d

SHA1
5f29dcb9f52b1303d9fc1611d013b2fe37e81de8

SHA256
93b86563d834a15a163b16440391b923f9e4e6bcfbe2d1d2259a1eca1997bd32

SHA512
56eea1d5e2f911971015ba10de07f7692fdd184af315529711ecb3c9f859dc4be76c55366d5c55a85a17b0856a2cf225f593b701de002ff2c33cb0025f2c2c04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

Filesize
8KB

MD5
4d508867d3a365b10a9beead562901ca

SHA1
636a142d33259bf129c7437cdf73e87a496c96ba

SHA256
9b44685d295e9eaa9ca2b40761d4416f7f467f543f36e7684aa78a1d048fa3b5

SHA512
eb9ef2ea91c73a881f9674964f334c9e01c7e6383f6f2e7fec2cc9f26c627f5c21a4ffc7371f5f9e199975ccc565e687a3f5b98bbada37aa46179095e03a2f1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\bookmarkbackups\bookmarks-2024-08-14_11_AxhfEr2-OFLpTzkjd981hA==.jsonlz4

Filesize
1001B

MD5
8693afadf4cc3bd876dc74648e6e4ace

SHA1
13fddc31ddf842e6c086e7e6bfb202c01ef713b2

SHA256
8050fc7748ef7604f657392e788aee4d49a112b62672d11c24ea301c7f2a30a7

SHA512
cacc0defdea88678dba4e329ca0088d027bec4c97fc763f9a6831fa5a5e5654397fe578aa59bfcb8592887b95f004a7b758569281142ab5c230824bf2fb39918

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5ef5daef0ee27ffc7c7ebea180984bdd

SHA1
14edcd1376d1486ee55249dc9539090b0a00739b

SHA256
c7d3c64baf3ca85682757574bec2ab5c2d2bffb71cf8b2f584f2cd8074fce536

SHA512
7293fb47b655a874682562af580ce9eaf39ad7632176b5a247ee909091992d787e8194e72f15c55e4507f0878226709dac3d1adf29dbec2901030c8078775f73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
70KB

MD5
cbf1fb2e45bfada96deb4cf865061b0e

SHA1
955178d3802b4182bcff58520ee9614061d0f643

SHA256
b990e2c7dd9b8ecd81f7c5367f44343d3b5e110dd2e4e7f403d79ac9a9a74230

SHA512
a79c719676eb2012b5450bfc69b871cb3c41172eb56f476a5077238ba881a22cb12a1656c2b1ff866daa05041e7e618ced51b31187ff0c27305928fd01425dc4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b503bd2ad575697be673119772b0baf7

SHA1
b3f7de6d3cedf0e4a87c4d188c5a887ea660768b

SHA256
f1bcf36898d395733ae4f5454c20b7ffea8b6a025ce0307c17c485e18b3154ce

SHA512
e539fd79d395ea136dbd873184cc419b868f505d23d3af1d6c4e1d749293b7cc7b62b9503bc4ceff49dacf04f695f4170b8d8098dbba313d6e0a6519a04f63d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
0328832d8b9665de2d7c98083f353815

SHA1
0c5795d0237ff07254b6118f19a68bb8a5859964

SHA256
7fdc1e351f98adab3d550e996c90a6cf03a565171108122ce5343bd16ec4ba83

SHA512
b85f11a3d0965ffe2ef5b2b74c63b6c1f323887eb8b73c5a4c14f64e3c20d3c302692a3855c8fb303164bb22cda78001c4b7f966b0f0282d51ce4cedf1f15b71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\320d2c56-f5fb-4205-b332-1d9f91b4761a

Filesize
671B

MD5
9fc965ee56272203dc14488b4f94991f

SHA1
00a9c4df9544b92b727427761a8c4a28274399d5

SHA256
8f57d52d8995a193dd01dd50322e2a6d2a0d43fc7e93bcaa1c96c86f41b87ab1

SHA512
a2433a538d414bd60c7b3b83d280d91eaa50ff59fc601dfaf7690a5a418ec228f849f8554cd9f5a85cf92b6d578bcd400b22cf24e5a918f9f4e11a474f45b444

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\5fff6b35-b9a9-4a84-8bac-b7bcd3e3c041

Filesize
982B

MD5
083dcf3394bb917aab6cc0a3fe333fe6

SHA1
4f04486b2cd9b17d41a944e6b2c933d936614445

SHA256
291eed46b507145723ba92f0b08032ee3a52815ef57d2bc39aafda7bca3e7dd9

SHA512
4bc76b3660ab024188ef37ee3b91c502fb9991579a8b2c707c9f0007b5dc23aed4c605677a48011cd9af5c8f97e0236fb6ceed6aa5918e7d12e73eebf1d23e88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\f5a65d61-6cb7-48e5-8be2-aa6b568dc626

Filesize
28KB

MD5
852c84219190db77611bfd3c0f7544c5

SHA1
cb529ad6b0af74a5ec2fb6e901bbf9942d54e9c1

SHA256
ba15e6840ef93f5161ce3c3af0c4752e1226f745600ea89366056a6c8708fcea

SHA512
4c19a5bdd6ff3127deacd3593bd5c3c3ef312e05d663bea1e6d99a789760f6d5d8f20b47e5421811efbf99313a9bd4b8d8adafee99a73f3e0daaae61e030228c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

Filesize
12KB

MD5
7cd8e231add8abaccda84dd457cc4e59

SHA1
4df8269cfc9c8c8d9f6b7ccf015c5cbb30a59931

SHA256
64693fd3bb3c52eb8dc5de73dd9f7a0503f5bfec528361df39b1ad792c861cc3

SHA512
095c7906642c51524ac74eb906e4a85d75354999c396effd29de2efd5a694087c3c3492a87de98ff08092b4f51d1c679b96ff9e514f03f1508c017679ddf42d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

Filesize
13KB

MD5
3c0f95f67560c2da6a83430d7f095224

SHA1
3b3f0ec3bdcc209d3aa56fa6b58ca2c63e6c58c2

SHA256
b8a13f654773cd7211e1bda008f6418902ab374292faaad8df026b74d07a2047

SHA512
57d924e5df5862fad31235e5064128c989e0edbf609c0e237fe0587163865c55fd6048ae3cbac32329375bfe63d53fcbeee00ded0ab316a24249f9265d0db019

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

Filesize
11KB

MD5
16b5fda77cd5384623ddaf9f6b4a0b7b

SHA1
2a1d9742fc655447e978195fa9cb4ec0f92d902d

SHA256
09dad8d0b326b1c177a1e669123356f5649eb8da728aa8ab153ca857e2476e81

SHA512
ef49859656eb52e1f03c602b954ae13b1c53110cb2e286d6f18b86d8bc2d7f3488806efed7828a1b4db4462c226243e13d147b1583bbca3ded443b9c638fdc25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

Filesize
11KB

MD5
756d4e0ebcdc3e10e70fb077441a8b89

SHA1
f283d37219cd6775e41ac2ad754d8ddcc7fe862f

SHA256
ae321ebe303b43c7244be07d8665ee05652faf8e063c8b55abe0314f216571fd

SHA512
6a37e361e000438b7146478a4fa76d8e4a8d82e9102328effb879960e0e4ac647a361eef3936a0c4e707d7da9b04b04f042c0fd3424c6494d8f6e0474d30325d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

Filesize
40KB

MD5
52ce07544dbeeac590aa508d893a6f36

SHA1
26ae29963b604cf969ccc667f4a536fbedf51fab

SHA256
99a89f6ae82fbb6bfc0dfde2d420f652b5281cbcf018b101d38959909ec0f7e1

SHA512
cfd0fbc81844ed44331cad97aaaacdc25b943aff6a9cc00e8b1119c866e96e3253e7527b2d511f40b020ddb9cdebea04427da2adb413d7e340af5df1a01a6853

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\sessionstore-backups\recovery.baklz4

Filesize
42KB

MD5
1fa4b3e24f17dcef4131352d721770b5

SHA1
15d3e5977db60ebe8d78baa6bc223b77e3c693c5

SHA256
93f461712ad072e9654859768ccca0229b2397fd123419e0d70fc2db91a91ba1

SHA512
e531472ffb8b7587b87f0594960ebdba5c7ff95ad3cae94f1f6875b221bffa3ce2a3586689ed7f9f622dadc7f33a167296e2b5a5c38eec8f105844d38dae0e3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
568KB

MD5
e2f85d34a81f0834463ec852758ce7de

SHA1
4a6ba7541961fef9baa6c28e590ba91d96c3095e

SHA256
ba77adc0a2277fdb3f436754e987646dce1c20d185ae1579f9a7894b6d6bcc90

SHA512
045f7c76060a132a1c55d86e925fca0bf0f9337617241959a87389789d5b1382916c62bec92485be9f13ceea09b89461435f62cb405c1b873ac52a222ab2ee5c

Download Submit
C:\Users\Admin\Downloads\SteamSetup.exe:Zone.Identifier

Filesize
147B

MD5
6fac30c6aeb8579559e615cab61c553e

SHA1
ccaac9d9a91496a2ff6d94272e67ccf853e5d6f8

SHA256
f3340a0498a1387b2e127b112d6c5301fc8701aa5ba7f0948e34b2875b277702

SHA512
10637368708137544065ef625c968ebcdfab6c4fbe63515eb5f40009a7fa45f596c46905d26442d43dc6419207fb73d8a3599e40cf41a2c755a068e724fe3103

Download Submit
C:\Users\Admin\Downloads\SteamSetup.zfzN0P9B.exe.part

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit