gh0strat | e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222

Analysis

max time kernel
92s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
Size

5.4MB
MD5

c1cd5cb1353eebecc512d0d3f508283f
SHA1

aa0117dd381381842397330969e8605b78e99a79
SHA256

e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222
SHA512

fa4f86ec3e19d60552aadfa2e507607e5e7e2f1c5324589b3a0471813fc65be26eb0e385606ee1132784bfce26c179ae696bdd2aff982f169616e6ba603b5b2b
SSDEEP

98304:SGdVyVT9nOgmhIkfAgoCBa1bPIjilX6V3cMtSLG8aoSiOiicPyK3A:RWT9nO7ygboCByweonccYOiv6AA

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2832-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2832-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2860-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2832-23-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2860-27-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2704-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2704-36-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2704-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/memory/2832-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2832-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2860-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2832-23-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2860-27-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2704-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2704-36-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/files/0x000a000000018671-39.dat	family_gh0strat
behavioral1/memory/2704-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259455246.txt"	svchos.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Executes dropped EXE 29 IoCs

pid	Process
2832	svchost.exe
2860	TXPlatforn.exe
2812	svchos.exe
2704	TXPlatforn.exe
2236	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
3020	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
2980	steamwebhelper.exe
2460	steamwebhelper.exe
1860	steamwebhelper.exe
2124	gldriverquery64.exe
2192	gldriverquery.exe
2300	steamwebhelper.exe
2676	steamwebhelper.exe
2944	steamwebhelper.exe
1400	steamwebhelper.exe
1760	vulkandriverquery64.exe
2936	vulkandriverquery.exe
2588	steamwebhelper.exe
872	steamwebhelper.exe
2440	steamwebhelper.exe
3068	steamwebhelper.exe
2360	steamwebhelper.exe
2164	steamwebhelper.exe
2552	steamwebhelper.exe
1468	steamwebhelper.exe
1108	steamwebhelper.exe
1972	steamwebhelper.exe
1612	steamwebhelper.exe

Loads dropped DLL 64 IoCs

pid	Process
2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
2860	TXPlatforn.exe
2812	svchos.exe
112	svchost.exe
2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
112	svchost.exe
3020	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
2236	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
2980	steamwebhelper.exe
2980	steamwebhelper.exe
2980	steamwebhelper.exe
2980	steamwebhelper.exe
2980	steamwebhelper.exe
2460	steamwebhelper.exe
2460	steamwebhelper.exe
2460	steamwebhelper.exe
2980	steamwebhelper.exe
1860	steamwebhelper.exe
1860	steamwebhelper.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1860	steamwebhelper.exe
1860	steamwebhelper.exe
1860	steamwebhelper.exe
1860	steamwebhelper.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
2980	steamwebhelper.exe
2300	steamwebhelper.exe
2300	steamwebhelper.exe
2300	steamwebhelper.exe
2300	steamwebhelper.exe
2300	steamwebhelper.exe
2300	steamwebhelper.exe
2980	steamwebhelper.exe
2980	steamwebhelper.exe
2676	steamwebhelper.exe
2944	steamwebhelper.exe
2676	steamwebhelper.exe
2944	steamwebhelper.exe
2944	steamwebhelper.exe
2676	steamwebhelper.exe
2980	steamwebhelper.exe
1400	steamwebhelper.exe
1400	steamwebhelper.exe
1400	steamwebhelper.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2832-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2832-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2832-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2860-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2832-23-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2860-27-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2704-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2704-36-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2704-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259455246.txt	svchos.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatforn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2584	cmd.exe
1236	PING.EXE

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1236	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2704	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2832	svchost.exe
Token: SeLoadDriverPrivilege	2704	TXPlatforn.exe
Token: 33	2704	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2704	TXPlatforn.exe
Token: SeShutdownPrivilege	2980	steamwebhelper.exe
Token: SeShutdownPrivilege	2980	steamwebhelper.exe
Token: SeShutdownPrivilege	2980	steamwebhelper.exe
Token: SeShutdownPrivilege	2980	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe
Token: SeShutdownPrivilege	2440	steamwebhelper.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe
2440	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2832	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	31
PID 2784 wrote to memory of 2832	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	31
PID 2784 wrote to memory of 2832	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	31
PID 2784 wrote to memory of 2832	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	31
PID 2784 wrote to memory of 2832	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	31
PID 2784 wrote to memory of 2832	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	31
PID 2784 wrote to memory of 2832	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	31
PID 2832 wrote to memory of 2584	2832	svchost.exe	33
PID 2832 wrote to memory of 2584	2832	svchost.exe	33
PID 2832 wrote to memory of 2584	2832	svchost.exe	33
PID 2832 wrote to memory of 2584	2832	svchost.exe	33
PID 2784 wrote to memory of 2812	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	34
PID 2784 wrote to memory of 2812	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	34
PID 2784 wrote to memory of 2812	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	34
PID 2784 wrote to memory of 2812	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	34
PID 2860 wrote to memory of 2704	2860	TXPlatforn.exe	35
PID 2860 wrote to memory of 2704	2860	TXPlatforn.exe	35
PID 2860 wrote to memory of 2704	2860	TXPlatforn.exe	35
PID 2860 wrote to memory of 2704	2860	TXPlatforn.exe	35
PID 2860 wrote to memory of 2704	2860	TXPlatforn.exe	35
PID 2860 wrote to memory of 2704	2860	TXPlatforn.exe	35
PID 2860 wrote to memory of 2704	2860	TXPlatforn.exe	35
PID 2584 wrote to memory of 1236	2584	cmd.exe	37
PID 2584 wrote to memory of 1236	2584	cmd.exe	37
PID 2584 wrote to memory of 1236	2584	cmd.exe	37
PID 2584 wrote to memory of 1236	2584	cmd.exe	37
PID 2784 wrote to memory of 2236	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	40
PID 2784 wrote to memory of 2236	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	40
PID 2784 wrote to memory of 2236	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	40
PID 2784 wrote to memory of 2236	2784	e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	40
PID 112 wrote to memory of 3020	112	svchost.exe	41
PID 112 wrote to memory of 3020	112	svchost.exe	41
PID 112 wrote to memory of 3020	112	svchost.exe	41
PID 112 wrote to memory of 3020	112	svchost.exe	41
PID 2236 wrote to memory of 1704	2236	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	42
PID 2236 wrote to memory of 1704	2236	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	42
PID 2236 wrote to memory of 1704	2236	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	42
PID 2236 wrote to memory of 1704	2236	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	42
PID 1704 wrote to memory of 2980	1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	43
PID 1704 wrote to memory of 2980	1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	43
PID 1704 wrote to memory of 2980	1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	43
PID 1704 wrote to memory of 2980	1704	HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe	43
PID 2980 wrote to memory of 2460	2980	steamwebhelper.exe	44
PID 2980 wrote to memory of 2460	2980	steamwebhelper.exe	44
PID 2980 wrote to memory of 2460	2980	steamwebhelper.exe	44
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45
PID 2980 wrote to memory of 1860	2980	steamwebhelper.exe	45

C:\Users\Admin\AppData\Local\Temp\e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
"C:\Users\Admin\AppData\Local\Temp\e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1236
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
  C:\Users\Admin\AppData\Local\Temp\HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
    C:\Users\Admin\AppData\Local\Temp\HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
      C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=1704" "-buildid=1721173382" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1721173382 --initial-client-data=0x22c,0x230,0x234,0x200,0x238,0x7fef71dee38,0x7fef71dee48,0x7fef71dee58
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2460
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1096 --field-trial-handle=1196,i,15736542224425266837,3173033597062762418,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1860
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1400 --field-trial-handle=1196,i,15736542224425266837,3173033597062762418,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2300
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1608 --field-trial-handle=1196,i,15736542224425266837,3173033597062762418,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2944
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1656 --field-trial-handle=1196,i,15736542224425266837,3173033597062762418,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2676
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2208 --field-trial-handle=1196,i,15736542224425266837,3173033597062762418,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1400
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1580 --field-trial-handle=1196,i,15736542224425266837,3173033597062762418,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2416 --field-trial-handle=1196,i,15736542224425266837,3173033597062762418,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:872
  - - C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery64.exe
      .\bin\gldriverquery64.exe
      4⤵
      Executes dropped EXE
      PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery.exe
      .\bin\gldriverquery.exe
      4⤵
      Executes dropped EXE
      PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery64.exe
      .\bin\vulkandriverquery64.exe
      4⤵
      Executes dropped EXE
      PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery.exe
      .\bin\vulkandriverquery.exe
      4⤵
      Executes dropped EXE
      PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
      C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=1704" "-buildid=1721173382" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=1" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2440
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1721173382 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x234,0x7fef74bee38,0x7fef74bee48,0x7fef74bee58
        5⤵
        Executes dropped EXE
        
        PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1136 --field-trial-handle=1224,i,1590347341088874994,13511495414060433134,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1484 --field-trial-handle=1224,i,1590347341088874994,13511495414060433134,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:2164
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1304 --field-trial-handle=1224,i,1590347341088874994,13511495414060433134,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:1468
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1268 --field-trial-handle=1224,i,1590347341088874994,13511495414060433134,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:2552
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2252 --field-trial-handle=1224,i,1590347341088874994,13511495414060433134,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1108
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1612 --field-trial-handle=1224,i,1590347341088874994,13511495414060433134,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1721173382 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1520 --field-trial-handle=1224,i,1590347341088874994,13511495414060433134,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:1612

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2704

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:1448

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259455246.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
669ec5b1c0d33ee4dee13c65626beeaa

SHA1
a1004092231f1475ee9d45aeee61476cb12029b4

SHA256
dda0fc928e765eceb428534a63b986490c4ea43771829e955b063a7b9df2fdd8

SHA512
2153c6c724979336e61c7701c9f3408626beb8e3579e87c4c43c94563f216b6812b2b556a8a1f42ebcadc7c5ca183a424f5a418df0fde1acdc54c660aa3e8243

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5eb0de882443feb8112f4cfa07e753c8

SHA1
c069e7963880288ed62671a51250e2e3732a3b26

SHA256
7669bed52dc52417b97ec6ee96d708f492d6640c93cbbe03675c3c7963c4d317

SHA512
5fa65f4c711486a0e4a91738cb01b35a960b3dfa96c39798ca879f3407d372a48f11aa01f4668b295064067f09a6116c81a1724c7145b8f7eea2aecccb6b0b83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
407faa43efedb122553f1ce46268ebf8

SHA1
1bddd81998e8cd8dc556b0b0a93fe5c5c83d264b

SHA256
088997809ed8751e57dfb001af6e9ac659fc993337d76f6cd6ca05f1ab37cf05

SHA512
f7218fcfb147c356d291c076603d83523ea8e769e7fed3b5d51d08bbaef13d97915a63d31153bbf4966c3865c9da4cd1967b2b7eba3d0ad665768a4b554766fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31f7ace104038521d01250fbc503706c

SHA1
5569f61e218a5f64758f756503ab13480e7663fc

SHA256
e2e682f15e562cbb350cb004624d2050092cba4a1e0e3b6cacf6f9ef930d4cd9

SHA512
abd52678d8ebfe892b0ec90b3877fac1697e5d5625c093f2ce198203960c7bbc71484091b4726d568682d8522167f62df6f25fa83915e68eaf69d0215fcf98e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c988f4652f28d806009623f673a3fde

SHA1
d86993db565ec268d1c1633024a97d7b8fcda310

SHA256
3370c79db23b6f4a13776cfbc5d51811966dfb46f250d278454ef8e91bac2ee6

SHA512
cb1dbe249b6b44ab7b19419b3b6af2a0b3150efa187d6c37fa05a615734ba9604a05609727e3aadcdb0d01623666cc9939a2cd0f21fb5800c20c404c63212728

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0a19a849d1f76fc7bc1e2df96006a57

SHA1
a49f670a1b921efd2325def8757c9e6016404390

SHA256
fefeee935ba01d6114524216e9492dbad61860845b0bcfbc7ccb266649cbdd95

SHA512
847b37ffa2a40e8e289b3144f142de25a72db7d4ea267181648e81af530242712092e06ed6577a5ba00fae1538f96e16ed87501742dfae6fdda0c1c21b861f13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccca92eeea3869e45369c2dab068ee77

SHA1
2fa0077d177c7275d9e7776919fd2811c89845f9

SHA256
6df55bdc43e84f0ae27853a3d50d2d94f687d16893290d3c7996d3bf5d75ad37

SHA512
92703e7aba73df5626b44a24c2a09444453aa4ea5ef76d370e6cb03b0bb3cb92a37991a7d1470a1015a5c3da0f95eedca9f9006fa3456f9a51d44e987a19f87f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1132f73314a96e49066d291a182555be

SHA1
b464050efdb6406e41bdc502ef05912e0a16ca3e

SHA256
c728e8357fe5b66bc978345d917a4e93763260bd82ada2d5bbe19567edd9445c

SHA512
4923e3a486d7a000ef1335adf6d354c35fbaf291b89cf83b1301ce62716afa57d1fff23fca876cc320fa1094067519604cdefd01f0b479e69ea82744ec2c9b58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9a8cfadfed0934f70e014ac1a87edb1

SHA1
3ef08389c02beecce0fbef5cedeb47e1b974fc6b

SHA256
075382cf2e840c1446da1ae6cfa7a0d58cfa96fb1d89d3463193f9ec099ed3f5

SHA512
cab7bb98dbd883e05c9316d7d8e2a308d227a786ecb2c021745724e304e03efdfbb40c8f7c98226eb0261081c82275f5425838c4b0400a06ec19f000ddc4c3f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71a014e253848d90615bc05995b920a7

SHA1
c1888d7efbbf6c5cdb0b81f57f602c17cd06508c

SHA256
c98f40e4a1bccfa9bcbbdd0b77ab8f4758e18613c1c4f6eeeb717d4c95c02d2d

SHA512
8c300587eeba993b66204f9a82a370db210811dab38e174c36b5c256ea6ce6243e4e303d66904b1cbe1abd22b9be93e6f5c7b503562a12ddba8cb55226307943

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1df757969e0312c7ff5b5a20616d2118

SHA1
8d545604d21dff88c54ce099dc33d6e763093019

SHA256
ca3856884f6c114fca3952be1ef721015ba2295d33a61e70dc115f84cf84da65

SHA512
2e3631f8bea62ed1825af56cf77af9e3ef1227a6b87c2411f9bef4d75eb6dc2c9d1770bf9ffeb6cb4ca510f9bdf711276fb77fa244ea1e996f0aef51c2ddb961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44e5d796626e3d94d95233cfbb641c4e

SHA1
ce5dbe48cec648085b5e1b4bd5d54a18fe8bf2d6

SHA256
5958aab5ac93d43e3ce9a764bee723f4c7ed0d6c2d8ecd64620be71cce869b4b

SHA512
f39e6a6aec1077f7cf1a9b987d04f270e488e3d47e700673955e13810545492e6336d8e74f8d87f52e59bf25376252145dbbcb08ceb44f9502a36419bddbe2e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f90849b507913b015d0defcfbf4ac82

SHA1
e65e6fd4c466b7369fd69142273698cae842650e

SHA256
9a2a98ff8cd4892dd0278679cc0bbc0f062527d9732d03da4042b05a3d089eb6

SHA512
708327dffe76bc29f1738c932e09be7dfe3640fabcdfd0e3497a4dc360124ace1c7717ce29d3bad28230b3ea7fee29b406c8819abc72c9a9651bcce816dd89dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc09df01b79ecb2497218a428cae62e9

SHA1
b90c80348b6b41da0ed5aaf5b017da227a08fe95

SHA256
198b8ddf2c6c00450d3a14e27f36290945eae88425aad553a08b40499d52259a

SHA512
371bf2329dc993dca318281f4f2d66c9318bb95e8904b610f3e756768ebdc2b788f389dc39811be29e8aab11f108a21d5c826b6943d301cb4073e5c65665a15d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd9550aa612ba202ae6580c0931b0a90

SHA1
f291a5fd82dc6bd2c1d69aae945be67d1de276cd

SHA256
8b837bd743ba346767f9e86dbcb4063dea4104174acf23c8a41e5096e2f7cd5d

SHA512
97adeb3cc00afaaf93ad0b94307980e699fb41a8da5ac062ca11cce2f7481a866820c1aa51c5c77f4c10309d87a7283ffbed8c418dbcdb150eae8cfdc9e06258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4d40419a54e6f6251268ddaf44d45ec

SHA1
f1ce744277cb75698c9ab41b068d24eb0f3cd992

SHA256
0590b810f5c3dc0962d65d485716d01170a9c1ce21f4816e524173390a3e0e7b

SHA512
26cfdcd6d6a7171d2409054881183581753f44c56b878a5566ed29ec6a6422ac3c8387a3368487963ee53cbb0560d50ac619d79f25f00b3888c9a63599dfd311

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d06f4e55bd56418dd073789ae5e8128b

SHA1
fa40390fecc11625b3ac4c345ad2aec8c9db54ad

SHA256
ae50d6a8da1ebfda2e188440d0cd10c5e0c16ed901850e056c5242449c3444fd

SHA512
6d4d5109963eae3935a7baa3993963c1401280e3e2d7229d3f62265c29e8106a3bd15e1eccb5b5092497a615b575c6b31ac193bf46381209f9fe21c38a251047

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8733ff6939a14fe7bc9144e04f3f70fa

SHA1
ed984f3a07c5d5bae98afdfecff0dce5150df146

SHA256
49eed62394ee40c8b645f53c58a7cccf76057f7d4cf3c902d11a7b457ac36493

SHA512
cfaac649cb10d9b06c0e8dcbdfb11f3c5dc52a512478c5392682ef795664ad4c74f2d6497707f10f9413944708753bdf4d0f68532017e6216e139b85c74c9ec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
279142b3ce0dc1bd5bfb3b9852626f82

SHA1
d255e1ea70dc3799fb5273c75a9ac190f65f3574

SHA256
97a84873a7f9cba213960b863255c451e0a60dd84ee90f0ada60d206b272ce2e

SHA512
d9fa76d4a8e03b679759218e86fc0241933dab75c51af2062bc10b7128e7cdb0dbac5fe3698d9199f82a08cdc997af303acfbe22310d0ef5b23152d1203b8034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
791ef763998211289cdfb89fa23944c3

SHA1
65195e6001b73ac0adfae924dd1af4dd38cb8231

SHA256
bfcab852a27a10820c692585d2d752d635570938e832ff0e8b06b59d46600779

SHA512
5ee44d4e1358dccebf346bc8a38eed1779b081a9f5aa6b8394341fcb2be80bb3da0a9f55ccd7abceb68d0fc631678826e2a4e463f4b217d87e253b9023d53de2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a85afa9358b888980ffde0649550efd4

SHA1
2d2f38e423fede02c5196e05725b2039d493c648

SHA256
440062885933a1cd4b0f2b12c4bc41213fbaac0c22d99db58ac2dfac08c1fbef

SHA512
55f9bcac8842bd7d5c8b4993892dbb4557ae4edac31df9394649b52b1954a248d05ab299eb87a68880bdfa6e02d078fbed8e6986b9944bd458346b7a0dac96ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e807688be2474e359d743d42c21f2825

SHA1
7cd4d59d6e0b6445181f4e5d85d7c130555ed472

SHA256
0aa1575f42adefeb9803988338eb02586254704ef1e0c925da5bf22cb9ee0964

SHA512
ee103d18af3bd8cd8626cedff2119bc77dda3966c17afdd8388feeaa5cd2cc7123a8ad4e71be427f2cd32ccaacae051643e59598937ac66e7308124719085ad0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
165d4f8b4b6afb29c517162018aeeec3

SHA1
3c3fcb7d809dbf58a4cdcbd99120f8c28889280b

SHA256
91428caaf5094379fb69b04e18e1fc71c2a056eea0a3f99f4b358e994b84d822

SHA512
d636c3c0f0cb283ba7e918e056b4b5ad85fb6228f66c0657a1b5b8862cbcc7c373a23cb42dd7b9637c439eff312f5f5a67de5c57884305d7272890d53ae18858

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a21de92ef86048c39ba6573bfa1da4a9

SHA1
9d01135a14b927bec73adef176bd2e32c176b1bb

SHA256
6947fcfc4469a8ea9454e2433ba3c58c48e43a7e1108d1ea59f8bdb4f32468d0

SHA512
dd69b7adcef6ab6405d10e1b4dc836651212c00067a89a7e5d5b36ed9b397a25631adba1cbba4dd12082109dd80742d70794bda507a00a2bdb0a472785cc9651

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86395ad3914726d3dd0a86cb71d5646a

SHA1
f3cfeac03e4f869aae8043c7116dd814fc563eeb

SHA256
0e276b9ecea7d6f55d89f2cf3ca732f23799d7737dc7ee420bfd2210932474e4

SHA512
5d2a0886578f217e5b34b067bff5b08c427f5fa7b5cff1bde8335d9d4ba6eb197f8f288c649a4b590e1a45eb3dd703399f6aa97a35adfa66119af960918f782d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
049c6d38a8a83f3daef523be43edc663

SHA1
d61d24521f29f15222178f46bfd8d9c7f841d5c6

SHA256
fdf173440cd92583ef4e27ab1595ee294d127795b16d6e1e0778e98f3d6f5767

SHA512
f86059250fcf335923b90447ef992527eb46739183beb5460edf8c74ee5267fa96d4e51f66a57d346914448fe4fe439f1927ebed95121f3eb26d6c0f0ed07c6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7a223d5bb3dd3c861b8acd07b2fc3e4

SHA1
30c7d17b925b0e7ba787f28f1df2b32de4a9b201

SHA256
b543f6f6bea41432b56de81246b16ce4789c1ee28d57698caf1b0aecf4450268

SHA512
05e7a1c683cb94c11ee89c8332e68c5217200d7d22eaf48dbc47e89b240c7245863ecc90fb93941a03f752c5d251b7cb9b923639663fedc75970995d124e1a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4a7b8987c1797c503f32eb2a053a71b

SHA1
409b17c8605b8af8ff4609166ec36a50f7bcde37

SHA256
71c167b13a1c1449a15271766802662ddb37f552ca8cb8f4f00cc57e8f9478e0

SHA512
8224ed3db65436fa283375408912d5e4a003c38535c50c7c076008170b1e81039fb16ce3d094b4b3439e6712447d407ebd98b70d8ccbeb9b81242f73b8952ea4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11c26102a96b1806bd84f848da1f4292

SHA1
fadcc9f7ed3867c889795086bef0b801c50f66e0

SHA256
a8f097d2254083f052f4b2c718f924636d8fd7df288285b65882da0f7fc1f47a

SHA512
8146c6fbd093e4860d8e534cda37999b5653bacac3757369a6067a147740c01acf3a592407d254ee35b1a237cc97b38a0956debb4f7444ec952c418d8418ea92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
554827fe9cd27f32b21b5dbf807a1c9b

SHA1
39ba42c904e52b568f6f19e445873e06e548a9ae

SHA256
893a0aecde19af062911b0899ad0bb426537e8343a0d53dd2b1105e7f701e757

SHA512
62e9e4c729f8c26bdad51286cf042f0c4679e5988bd892fe9e36675ab7c98ad2c5379ee7531613e0b1787289af66bcf8305950b0d2b1be441e8b8ae6bd99a7f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3a6f13c685598ce31b4985bef73b109

SHA1
3525ed54b10b89b7f47acaed43bee81bbd889a3f

SHA256
684d574faaf037f5490061b426e00af3ed845fc3dbc87e294caada00a7380982

SHA512
6b2e619b6eb5a3fd9ba7cfbd2168da252d30f4b03a29e4eb460c46861187a25d476e77c8599695aacbd7f99319a75cf57d8a8d242a83bfae65a336371407aabd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3c462c4722bcca0f3f68d785e8e6511

SHA1
aa2d9d7461364daffe7820cc3a33c7a06ed3f016

SHA256
0c4b961de672d852fcb7b5255c7768afd1ad3f58cf6ca95210ffd14af99cb2fe

SHA512
183f8093925c977ae84b08df5ebaa04909ed6f1e1e4e6752baf8f59aaeb81fed4c781dc911f9b37308fb41519f60ae314b18d22b7e0f1ecf2e28ab085cc61df2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d8430824a913255af22841f72bd2db4

SHA1
05553321595d58080ada7ca4ba8e85e60c020870

SHA256
18b9cac049641856931eebce62b1fc4e4cdd960bd145aae6f286989e3541b791

SHA512
0c766d99b72f5550c6101bad76a6b4dad0a446f6c414ae8f81cc828b55e6c72784611269a522c050b018ef69e1822fcc9e7a17583bcce3ee3da488b214177801

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6b545e6f40c4042dc1bfb8d30d82f39

SHA1
e45b1c98e77973bcbaae8d9a6536821c7605ddba

SHA256
92a5fb852704a405b3423885ccc1aaf6245f7e05197d9faba4b46b38141c56e6

SHA512
7265968da8701eda1009b87786c489b945c7f63b77fefb7e838d8067e268cb9ad5e84f98b216be75d0dd51fe580a1a3da9245d8eec699b92eb77c8a6d4cb4b03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
771d0802afc9673c9b5bb884c71b2a8d

SHA1
7d06713f2f0400c14e5fc9daaef98ea89210711e

SHA256
463ae8d2be1a4f5775c84d9e6ef12c3545271c029804e6cc607419e2d850cc24

SHA512
e0ba98e290c14bdc581956616e88189fc7ef400021f683c5271a97b1e39775f28418d1e3d324a5b3dd18aea3a72c1854c3d7e8ef0183c55a8920aff8b4128f88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53f0b9094ca29d3da80e248f372a6e33

SHA1
e15333afcc1cb2a3f0d523d2a0bc21083c79564b

SHA256
6b6c54aef93790968ce53971cfa0ae6525285c23872217a1ce45c15da10cdfe1

SHA512
f05a25db59b0b75be6b26f59cb7c97b0a5a4bfff0ffb1f17b5a92ecebf19c80e4303a83f61bbf873f8da84926a7f21186d984d781b8d2fb4406510ae93e2ef74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84efa99306315e7672ac33aaf7a903a5

SHA1
3ee9302522fa717fe17d80dd3ee6fba851be85af

SHA256
3163143e11b98340d596821a372cec356384394dfc5affdedca65f3d11bad92e

SHA512
ce9e2c7410efcea60f2036d57bc55490320e33e423740668da1b5f72cef7d8301f09aec3547c3b6657d7838dfc854bedf00782bb2505a53802b8169813152325

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56af3038107a9a8c98cfd30f7c216bad

SHA1
0f08fbb016134aa5420333e30ae10572a3402932

SHA256
971e28d5d5a74ff4a22e0ef1e5a1e13ce2db34cd093cb98ee8ed319af14509f5

SHA512
947bbd54c7b45b991ef68e62fa69568aaf1c051b95f9efad268a8c94f4b1629d008c039830a8cc214bfb90cc55a9c0382b7b5bda9baba2f7f0239f0e1f789f3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0d870f9677d52c3e156f6aad2a609f0a

SHA1
900a582524b3081512aa9956b9638cbd285b33eb

SHA256
642b764495658c2fb2e99150ab5d9499652b61ba00361915c68697c5d19193a8

SHA512
29fb81f0571357eacbb3b7c1bf2365e9a11cddc3fce74953fe58565b238c28b0e4566a97bc77b9da9b09691d596f5aace4a7d28ad17caf63d7fbd72e3d43ce3b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\CURRENT~RFf77f8ef.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFCA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
a77b36449174d458981210bfaf922b32

SHA1
21c6afb5b56f280da16eca8a1f14bf0bb76d8f27

SHA256
986f01a7f2ee9420d7a332eb0c8f433de0a9ccaf17bcd254dde03403d60ae720

SHA512
da7afb942e4e014ef9a2380f5ee6c582bb7eb4d8c6a9f61652ce3134c85ade368c6b309e6a7e9c7ed1e91c302644890db675ede871f680fb922412f01a9e6f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2DD8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aom.dll

Filesize
7.1MB

MD5
d764264518e77cc546a5876c3bcebad4

SHA1
ea17d45b396fa193a851bfd345e2b2c20ad60e12

SHA256
e78492de0ab575add50b925bfd44216d224d09904a9b14c17087a92fdcbc15cd

SHA512
7cf132ea5254a55c08186ffcf5e47360ef5ddd57d03d7051171f6753b22e3925304d183c2037bfd320ad56c08e079f9b2c4640db8cb3dbd38ff500c7a39e997f

Download Submit
C:\Users\Admin\AppData\Local\Temp\avif-16.dll

Filesize
226KB

MD5
a09c5fa842fa4456a0b53b46f1050225

SHA1
9e4677f19e77bf55e7d0e2e82d8c27f79dbbd78e

SHA256
3d7ba6fedfdfd6e751693d718a21438304690b754d1c5d13c847a829b2423b8b

SHA512
71c962da6ed6894209891513bf9f0132a5eab6c65a5d9ba334efcaf73463be5625665a060863a106d59fad1949f6191f641aa4c59ddb0e825701bef08ef9b5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\audio.dll

Filesize
177KB

MD5
c3f779618f359161cb4584d8b4f76c96

SHA1
ed20aefa670c8a9a01b2e5648228e1d38a2f7a99

SHA256
06b721c371debecc442b7d03774f99935f46b261311bb1ab110bfe8b0a48a516

SHA512
7aaeef7574def8c27e3b63d07dd9db09619ff047de47253d1035764c80fd6000ad6718cf60e5e2e3a6b4bdeefc407bb5a43961ce03ba512b271c326a5cc307b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-console-l1-1-0.dll

Filesize
23KB

MD5
4cbad862a3ff6e7ac0f33a904d247536

SHA1
57ed831d8f3739aee41735fce679641862c36076

SHA256
32a70082cf3496745580c0e4b7d1bdbe925013300f0573ccef466e7a1915a51c

SHA512
355e5f5081588c2460b6c21818172eea17b18f6d94a958902db57a585409c8a2231a2666bc12548316a041bfce8a2eeeef2e4759a9e38900550b6a7c96d7ed2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-console-l1-2-0.dll

Filesize
23KB

MD5
f9bf7d30ea5a945b77910a06151ff620

SHA1
3158c9ab3fd9b6fed40e77abe39eb53234151977

SHA256
b4ff5467266a4f8e5d8998525a8948b8b86d51a23c2f4f7023c505c8db341802

SHA512
07e01ebde7c80fa3937f2169da9dc496f0a5efbbbc9c305e7772e28e334906054c14747fe10cca0ac1f1f275d95a08801ae7c44ca1cbddae1c1e008bf428d1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-datetime-l1-1-0.dll

Filesize
23KB

MD5
e763390e8aebf15cb2b9b5b8c9cc4e9e

SHA1
0f9f6544903700fa26c8892ff7e4881c56238282

SHA256
5963b1cdb894ce297e52844741047f74f8d86fa7e97437e26d9bc8f0094e1003

SHA512
4c8089029c0d97ef1a1570dc47a8eda08f2071332521cdb54b5b52786d078c19bf0324fa43b9d1c49b942f8eedf7a6dab606b25a3913a80f6c8d7bb97d28a768

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-debug-l1-1-0.dll

Filesize
23KB

MD5
df9e90a38a99d1f609ba721a3d329195

SHA1
ad8859c5ec7f591800c0d4b6453eb10167ae142d

SHA256
ba17d3a66e3df85fbf8b82b500f1360f8598cd48a814fda3e552cdd995e6f449

SHA512
e41ba10d2c679754627c348232bd8124a01eceedfe30c88b6f7ed257895a7b59e5149d448a68415c4d2cc1a5c2c32a575f032b764a14a2330d62f08ccb87de85

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
23KB

MD5
649e3b7d4b114213383aebd2dda0308d

SHA1
ba1ba5acb362cbab817c5e1a3126d6ebf600740b

SHA256
b15dd0c332b261d62a0b37b8981980a15e47b4682e6985e26f155a85f19e1466

SHA512
e667462ba457d44982337edda451a5d78eb4b6eab2e6a696ca333bdcd6688873e2c50b45e464e333ecf9f5b07dc35412bc746ff187b99e8139f9b8ef0456849c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-fibers-l1-1-0.dll

Filesize
23KB

MD5
b72dcda47e269f98aa6998df1b27b3e5

SHA1
8a68318787497d2ed4ee6d981de825c874bcb603

SHA256
b9aefe9709a17fcaf8b85168c68f42e2b57f8214e7456a82c74495b815dc5bfe

SHA512
17b00481db67db8bf8f07035c760eb7adff65d59c532711d918bb1f2bbdbb6230cd0c583f3418102b80b6a085d45d3e3efe9a641e7dfa821c8a18505e9bb1420

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l1-1-0.dll

Filesize
27KB

MD5
d218fcedc1bee50c45f4e786c6d60564

SHA1
c4371579afbfae000e5b9a0ce07472be17badc9f

SHA256
13266c9674e9c663252ff2dc1a014a86cbaa42801d210f408269bd1dff681440

SHA512
efc30d116515ee000084db671a4c2d68551035b5512e7117c3c53d6ceb2b0418ee2ccdb5f76fa267be48e37d21a950e20423f95fc4e1c4d2c9e5fb47b692c882

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l1-2-0.dll

Filesize
23KB

MD5
2bfcd1d1b70eef1a10c939a4eeab5403

SHA1
12656ee086124eaf205a9eb470a78bc5e3d2512e

SHA256
b0919c80eb88d5d6aeb7a6eb42344f40ebf6bf0914a45045d9606e2469f15132

SHA512
9143ffd7e00f4168f78f72e9e08e6a901ffc57a1bdc07531d73f0d4fc59ae2a114d939bf2a60313ac34aa835e6c297168f255685cbd795c748fe9c8906d2215c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l2-1-0.dll

Filesize
23KB

MD5
b3a3f902a5fe7b70c988aebd0e523d53

SHA1
6fb07024c76cd0c4e07c3d0efa088b74998d59b1

SHA256
61365671b9fccbc10c06ccc0d4c8875dd98ca51e8d3eb77e91069b1bd11e4a96

SHA512
3bc057781870932f9703561bed8f786af9306a6a237582551edd12220e95521b8433a507ce702fa929654e930d0cba976eb0fc72fbe567d44620232e18390ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-handle-l1-1-0.dll

Filesize
23KB

MD5
a6c34ff1ecc9abc954922c5e569d7912

SHA1
910709fc703f559d37ea6d7d75ee13b62cbb4290

SHA256
b71658e60bfa69f0bbcafbc8df40b118e9fc5df747e2069db0ac18b66aaab818

SHA512
c0612a7cfe143c22d9945e287a4be0378b808e974a845ba762bbff028080eb6149bf5451d1f7aa0c2cea74499b82007dc730ad51b0b2db4b0f8fc11c03f8e20d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-heap-l1-1-0.dll

Filesize
23KB

MD5
1b292e0f2b2d1a67d2032b5414c280a7

SHA1
3f42ab6ad2c6fc52d11d677c1287c58bee3d0a37

SHA256
60fa39cc05a21ce16a8651331445da1dd0e5e6c0194de819b4fa6a245f517396

SHA512
b9f6da412491d9919cb8a33483147c608d30cfa9651f326aceb96c85cf5163dd85a434ed8421cbe9a6d355df650564252cbae46a4b340459bb3d30f616e244ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
23KB

MD5
64350026ead6e66e58759314ab2b2c8d

SHA1
e81696c0cdd81af0af47c696806e745283538c94

SHA256
f30dff7c389fc5143475a99945eaf9f2e36f2f50709e256c990b10459e32b8be

SHA512
6f55429adaa2107680c9d67a15b8094346b5bf295603ec7b2cbde7698d1e1f18436b6b2303b08b83f0177c77f877a33c16cd88cad13681616c0f9c3d751eb7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
23KB

MD5
f51c295b1f6d6845be84a53ac650e0bc

SHA1
edf0d80ea2c7de134af5d1da1f07f7cd33d9d972

SHA256
6d85722c07e91050b89692e647c8c9c6fec8c39a998286e0084a4a20619d956e

SHA512
f84224a40bf12cc61ee47607fb3d367135205d7f26667de6ac930e7fda064d8322c0279fe2d67da92d8e017b9ede8a14ff26c050c35347112052e9fa840c5c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-localization-l1-2-0.dll

Filesize
23KB

MD5
b20db974fdaf13d7a6c518c8cc4d124e

SHA1
3939b029019a583c3a65ae0e3bc2926f0889cc11

SHA256
c7253d57e123911ca6a0cdc8c74f103fc048399224393e97bf5a2a993cc13fdc

SHA512
5dde8bc5f30b69c98eec6d4d279bf1b1747ae119b8ddf8e96515d503c7937154e74bb88d7a01ebcb2b15b0f3fc2e74344c8f0df7add45af944028e3b3cba8245

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-memory-l1-1-0.dll

Filesize
23KB

MD5
c5c07cce6b571f4d566fbb2dfcfb009f

SHA1
4379f23072f145b3c31631faebba76321713e454

SHA256
dfcea447a3436a3b36287becb215633e73760de7d1df88dd24ce0f998aadf597

SHA512
d7d53c04459d373659056ed8535982ad6c558cac6239e9fef51074e8479b8777eb2dbdbf63678868f5902b6414a446b46d9d9acb9d70f3bd3dba5cba9512d982

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
23KB

MD5
38949794f4b5ed88fc604583ae0c9b1a

SHA1
ffe2baaa0dcf56b56a726e314795e70d23149fe5

SHA256
2dcec9017298d32b92223c0b9125ecf15cf330973414b3e181a9dbbbd74145d4

SHA512
001f460d03b71f52cda97f5305b15c5fc40c1abe8c6deb429ecbd15d06a4ed26f7bc8cc491629cea14492cf13e22c1817312978b6095ee06b1592004a361818f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
23KB

MD5
3d9d3eaad4d1f94fd099877e3c3574ee

SHA1
3dc985619b35e8d8bda17bbffe3fb9d73c697998

SHA256
0986c9945e4db6c7e5bf42556f28ae54afafe5d991573590bffb9c494deaebdb

SHA512
5fa46bbd7eb1df2f5c233c70f5a4adc316b24e1de7e91c608d52f537a1ffa6d5cc8b1b4c6b4880b33acefb8236d7676ef50527b737ac23be968e5bdbdcd2f368

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
23KB

MD5
fbb8d74d5ca41920f285ed9d4634d501

SHA1
b1157ff444075b76bc3533b036793bda4afd96e4

SHA256
7748f69d1f67fb4afa2ebb9712687d0b9235346d35909fee80dd5cb776ce7638

SHA512
a7d6ca4666eeedc5c4bb3db07919c4d08efa67638d0cbde7cbaaa5f40a59f2c61745fc129e882d47a39a561ea78aa7ff309286921945d940ef26d121bc865cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
23KB

MD5
2da80fbfb025423ba529e0ed5d396caa

SHA1
94eddff83c93411c0fb48101177b238f2cbabdb6

SHA256
a074cc02be4cfa314ddd7223c288b1a71fe74143c3229c7cd30fb309419d7aa6

SHA512
c23e38776c826f1f2c9bec5ba2b0fd0366d1afdb06b805749814472a362f0fffaa5231bd678af17ecd7640333c5af4f2607d976521f649053ea3d24c8e7e9c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-profile-l1-1-0.dll

Filesize
23KB

MD5
724d2fe0b0268b30e7db9a7488f2b306

SHA1
6cccc9bab72e205f18bb5485619dd3ccfe58202e

SHA256
074a6052a889456895d4eb8d592088b1d3858d3f6cecb884c528e74400710079

SHA512
37e6f1ddb7d57aea23da10d13a3690740babbd3634d2966a3377c59248e75982a7fe2ed5197c1ba97d7d77906235c87d78067a3430c6d45dc8a4e5fa4d7e6409

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
23KB

MD5
189af34aa567cd8ca0d18c1dededd39a

SHA1
0f6d013f294b267a0aa082ec3d422cf7eec2ba96

SHA256
bb2576e861a0c507db9ab2a29577803d7258eff03e52dc5f36faa51249c892d2

SHA512
e294e462cde5f099f2b3b6ac14b3771ada2ca1ec26ef485712698a98e5f4c4298a4ffed2e8cb99dfb096adf48e368ef50f30d7a5652a67fa16b250c7653d8580

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-string-l1-1-0.dll

Filesize
23KB

MD5
6e55ff194d5bc03a8ebe89c7b237e10e

SHA1
fec152c0e14bdcee73ce234be9b5bb1608b85fd1

SHA256
9f3a2d40be41b0c47fb03df21c4f7e4120cbb348553b642c5c80b92c64b3b357

SHA512
18d8353f171a34e29674dcbff59f4db7e74857c3bb2155215d4179c7c94be7d85d43552f256b002d0e72fcfc3f9d9c4999ae83bf4599c4e68c808419e1618d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-synch-l1-1-0.dll

Filesize
23KB

MD5
94eb94712d2eca213b446f17c62380f3

SHA1
90a32ddb5c5c3e8757670ebc75ffc237de12f2bc

SHA256
902ae18339560e5142c87f97e9574864b518a0ca4572298b418acadecd8ac6ad

SHA512
a9d68a3f68532f8b3e698ad6aa7303ad9c5fb838bd61444f415e20537c76f463d849d3b458f5fdd8f133e46083a3dff93ec6bf48d77495beea27ce342b1f84dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-synch-l1-2-0.dll

Filesize
23KB

MD5
747bedc394cb41b6a0e1b94b6ea8693e

SHA1
e6388ae7dcd0df0396e6cfabe65be85789bf72db

SHA256
ac30c50dc71795c7e0419389f15bf7676718e23f4b786da2ccd4103f24198656

SHA512
15814d5a904fd9d8fba2eb451b27c0f15d892afe98edca36e3adf55fd2df5d516012eb104035aaff0885c5dacc784c44a1f2df3f8a59324483bcb86c8b213bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
23KB

MD5
d2716cd25fd6ac67580982c8efb5629a

SHA1
199c6b5208331881e9425904e345feaf1af45b82

SHA256
329149e3a2360b9e4231ebae9fc3c467d3c560195fc3bc5d2fd31c6a5fd65da5

SHA512
cfca74a6b909bb7d1e20487c4c3bb8e20e9970b49b14fe9d693c5b75fc4b83d8dcfa4ac085fc8db4ed76382266c934939b4e41a70d4ec5308fd8c7f065ccd95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-timezone-l1-1-0.dll

Filesize
23KB

MD5
b4bfb5cd23ca6f9ef9dfd43f70e8bba7

SHA1
2ad09fc7c204d74b4c3c67710a72e10b699d7345

SHA256
e3d05dd8f99995cb289b3f86eaaadd99a0b1ca2e12f0a0db22feec335a938111

SHA512
023d892f449f578c68074a77b46f7fabc4688a276fb0ced6b1eb6c91037f296776e2ddfd81e71c4f8976285b2e1d5d35bad2fe0ee93ff661b78d45fd34cdf476

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-util-l1-1-0.dll

Filesize
23KB

MD5
27262395d098572d6babe49373d357cf

SHA1
b6c3bcecc99ad8d03a4b8672422a5aa5199eb297

SHA256
8b2197d96a4a01465e0062d5854a940232734123536ebd3c4f4116efae772688

SHA512
42e1b4ae70cd97a50b6459ba0f9375de0e1586930c8b9cc12884794de1da905fc7d766811785a98f81f13dc77cf8ba6aaa5ad8592cab4a5b873df9027fbccc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-conio-l1-1-0.dll

Filesize
23KB

MD5
09a4172deab1aab62c3eabfe126b2cd1

SHA1
5ecfb94c505258be83a471a22979f7f85960bb02

SHA256
56fb8c7b7d12814ab0f5fc2eb69dfe98c3e9d00dc554a5e00f2ffdf9fc8728d8

SHA512
e31adafece4e16a76e1cb54d92d82edf441e5c5e3a9c8c68d63bda6f9014705b3a9eee4502bb492b09e3384029878ebb28b82e5c9caf95f8fcae8347aba6dadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-convert-l1-1-0.dll

Filesize
27KB

MD5
75f7dd0261c0a7e89abe0971a6f7fad1

SHA1
a657010c0896034178caac01093430a9b550745b

SHA256
d8f04afab237a0177bc3062c6508c57f884c23013985d3c48af26b7c25028949

SHA512
07960af507910ed1366feb86487b3eb0d942f638eaeba85e1fb1bcf1dba09359c95ca93488cde969259b7e0b78df8a418e62848f49f40d3cceb8cd5f52bd5760

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-environment-l1-1-0.dll

Filesize
23KB

MD5
c1da1a8ee38c89a989b8a892edf48099

SHA1
0a65c36944a2c2e210d96ca394f5065dae34f665

SHA256
f2d19e04a9fe1a382fe5c492501236a0cadc9f106036af8496a8f24457a3feb2

SHA512
085acf718846bed78e73908481aa61b3bc64ff8dd7117baa556a535b5f32d304a2f6d20cae06b0c43ecb5c934bcff4758095a0638aac428a98036e91d3047908

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
23KB

MD5
d2b88081e89aa26e825b04c15ed158e4

SHA1
3d6073d8ca42ef7fd671856cbe7eec20bd78da23

SHA256
9da16f7fb466e63a5ccc24eb7ee95a80ed4216e925545a59fd6fb5d7236211f3

SHA512
4544ee07592758723947b039e7f4712c0658ef40942355e3424838aab6382c110366c9013cbd042a605bfca73b6535cedcd146db8a6e850bdb5a50f4132135a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-heap-l1-1-0.dll

Filesize
23KB

MD5
295a7f69076e8e789860bb3d566caa0c

SHA1
4d7ee1025ac08ce85f95c620949f9af9a0b8ad3d

SHA256
516dc0852025a741cf5cfc6be3e4ad791d4a5aa692fa35498ba7b5f146d54a1e

SHA512
959d1171c77a0c7267d69737c781c0e66cd9f513a6267e8e5c986677aaec4facae8e024bdd0a3a6ed4905df116e5d80f706d51da0a3cf26cafda2b13bcd86c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-locale-l1-1-0.dll

Filesize
23KB

MD5
74add032773802678bbfec4d07c2f95a

SHA1
f30cd5da7d9768696d0d57cde1ba7141804ffb0d

SHA256
f55be8b606d5715e54cb795b822aa295c4e0e92170359fedf0f72c1fe07057f1

SHA512
7f2e74a2d158588aff68ea5a23237f5a08d75ee1dfc72c2b8ba4c1a172cfa826eb71ed3dafe524dc6ca4eb4d96e2d1fffc6a39e85caff5aeb3925af761623da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\bootstrap_log.txt

Filesize
15KB

MD5
393e77e60bdc6e23016ab26d5fbccf32

SHA1
9305ac3410f3060c6778aa597ef87ebc598ec948

SHA256
c9ae7e5c85ba65968194eaf321848f1086e95c58b2d1714d34a503b11d75bef6

SHA512
79f5ef58f370a77bbc5537ffc0a36ebfc563db9f77931beb286a7df2bf1d3271ac29e6a630ca356cf3904f99a86e3e700d41462178a9242ed16840eb84ce596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\steam_client_metrics.bin

Filesize
3KB

MD5
0014e705b4ced739f4cf46a812af3388

SHA1
a044e11f69fec40a6e71e4c74b64964ded114b22

SHA256
fdbb391e64dafc04fcf00e17d4bdc98d04c8ef73b20c2b499299f7bae0941bcd

SHA512
d73f950f4997b7b7e9feae2ca5416f947bb9eb4652748a69c512a796f11af49337e4a5a5fb3b11fb3b9dae871e6b477a8765991782ba3007cea00433bfdec369

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.installed

Filesize
473KB

MD5
5e106d249ec5621a5e1108b283957786

SHA1
07544be7fe36e112eb92ef963f1767aefbdb3805

SHA256
6c496358b33601a40237cdadadb91045668e456f06d0775fbb41a9ce01fe989a

SHA512
61396b87a1e8b6f27f67a3569b89aca5183e5abbaafd548ba10fc3aa97c51e2f59d6ac4b9d29348ffd1ab40b84f4d33505d4f64e74294f480fea9cb474179774

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.manifest

Filesize
9KB

MD5
628c58048e8d0dfd0d5a985b359b353f

SHA1
fa1c6b8addaeca7da658894e64b62252f8aacacb

SHA256
290816f20a98ea9b9ab3185c2c59eeb3c4c7b9a861c72d453622e7d1e07653d4

SHA512
be287f2c42927f939997b61052e23fb4c13b7709655fc20c34956c5d131d8820cf90aa67139191f801c1ca118ee71a33b74970e263ed87916203fc0f3e6fdb8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\public\steambootstrapper_english.txt

Filesize
4KB

MD5
da6cd2483ad8a21e8356e63d036df55b

SHA1
0e808a400facec559e6fbab960a7bdfaab4c6b04

SHA256
ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

SHA512
06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\Admin\AppData\Local\Temp\HD_e911711f46a5a4cad3aa9a90217666b76dd7c0c7137a7dbf0686fe1c6f69d222.exe

Filesize
4.2MB

MD5
ea6ae07191d791da1243a8c84e45b484

SHA1
b09c09f5ef38e2c95b91edf42ece680bd6246798

SHA256
4cf97f554b7c2bb90aecbfffbb2168804784b1a65ec357503a1bb7e450d31207

SHA512
6d779d0d4e5cbdf4cad14d048aabf79be7bbf13b20e244f96565ae444ad3433cfe1aa89fb8b4e86bc8a98689d24549c44d3156ac1a1409b8c052d1d977813462

Download Submit
\Users\Admin\AppData\Local\Temp\crashhandler.dll

Filesize
361KB

MD5
7fd9c99282f84cb7895b1461c5b6c903

SHA1
3ace763ad9bc84f85825bb96cbba9162c5c28d2c

SHA256
c57cdc261c15b4c6872e39b6eecf60a0ef7e09632b7fff34c38c3c7b8f715b19

SHA512
832a20949a72d916151ad98539407d2c7e9b15933c01b1b21adf4d14f47464329f07c180d0e1960fb42efab068ad5f310779aaf6cc40bee1c8bcbc32fa981608

Download Submit
\Windows\SysWOW64\259455246.txt

Filesize
50KB

MD5
65090db22b50a2a5ee037d0cdb4f3c56

SHA1
9b3f2a689964b17bb570a10ac9970f9f2a3a8efd

SHA256
10ae8aeb86b23207f77195d85caffe552b8f084b52d4bf9bf51c8e69feed784d

SHA512
45f1ab8a64cc5c918ceabe208a6080a3a45cb79c74191c6951ab269412cb144e715d2f0d5be073f8f37f2bd89f42ece9dfea17a172f5df684b2a0d0d9a933e16

Download Submit
memory/1704-12865-0x0000000070430000-0x00000000717A9000-memory.dmp

Filesize
19.5MB

Download
memory/1704-13668-0x0000000070430000-0x00000000717A9000-memory.dmp

Filesize
19.5MB

Download
memory/1704-14429-0x0000000070430000-0x00000000717A9000-memory.dmp

Filesize
19.5MB

Download
memory/1704-14435-0x0000000070430000-0x00000000717A9000-memory.dmp

Filesize
19.5MB

Download
memory/1704-13678-0x0000000070430000-0x00000000717A9000-memory.dmp

Filesize
19.5MB

Download
memory/1704-15194-0x0000000070430000-0x00000000717A9000-memory.dmp

Filesize
19.5MB

Download
memory/1704-13580-0x0000000070430000-0x00000000717A9000-memory.dmp

Filesize
19.5MB

Download
memory/1704-15186-0x0000000070430000-0x00000000717A9000-memory.dmp

Filesize
19.5MB

Download
memory/1860-12544-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2704-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2704-36-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2704-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2832-23-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2832-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2832-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2832-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2860-27-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2860-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download