hxxps://discord[.]com/login

Analysis

max time kernel
1799s
max time network
1791s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.com/login

Score

8^/10

steam discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

steamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Executes dropped EXE 21 IoCs

Processes:

tinytask.exetinytask.exeSteamSetup.exesteamservice.exesteam.exesteam.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exegldriverquery64.exesteamwebhelper.exesteamwebhelper.exegldriverquery.exevulkandriverquery64.exevulkandriverquery.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamerrorreporter.exesteamwebhelper.exe

pid	process
1096	tinytask.exe
1640	tinytask.exe
3124	SteamSetup.exe
772	steamservice.exe
3152	steam.exe
12740	steam.exe
12800	steamwebhelper.exe
12836	steamwebhelper.exe
12992	steamwebhelper.exe
13132	steamwebhelper.exe
13324	gldriverquery64.exe
13388	steamwebhelper.exe
13432	steamwebhelper.exe
13712	gldriverquery.exe
13760	vulkandriverquery64.exe
13844	vulkandriverquery.exe
14380	steamwebhelper.exe
14864	steamwebhelper.exe
15320	steamwebhelper.exe
16816	steamerrorreporter.exe
17272	steamwebhelper.exe

Loads dropped DLL 64 IoCs

Processes:

SteamSetup.exesteam.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamerrorreporter.exesteamwebhelper.exe

pid	process
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12836	steamwebhelper.exe
12836	steamwebhelper.exe
12836	steamwebhelper.exe
12740	steam.exe
12992	steamwebhelper.exe
12992	steamwebhelper.exe
12740	steam.exe
12992	steamwebhelper.exe
12992	steamwebhelper.exe
12992	steamwebhelper.exe
12992	steamwebhelper.exe
12992	steamwebhelper.exe
13132	steamwebhelper.exe
13132	steamwebhelper.exe
13132	steamwebhelper.exe
12740	steam.exe
13388	steamwebhelper.exe
13388	steamwebhelper.exe
13388	steamwebhelper.exe
13432	steamwebhelper.exe
13432	steamwebhelper.exe
13432	steamwebhelper.exe
13432	steamwebhelper.exe
14380	steamwebhelper.exe
14380	steamwebhelper.exe
14380	steamwebhelper.exe
14380	steamwebhelper.exe
14864	steamwebhelper.exe
14864	steamwebhelper.exe
14864	steamwebhelper.exe
14864	steamwebhelper.exe
15320	steamwebhelper.exe
15320	steamwebhelper.exe
15320	steamwebhelper.exe
15320	steamwebhelper.exe
16816	steamerrorreporter.exe
16816	steamerrorreporter.exe
17272	steamwebhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SteamSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

11 discord.com
126 raw.githubusercontent.com
127 raw.githubusercontent.com
8 discord.com
Detected potential entity reuse from brand STEAM.
phishing steam

flow	ioc
11	discord.com
126	raw.githubusercontent.com
127	raw.githubusercontent.com
8	discord.com

Drops file in Program Files directory 64 IoCs

Processes:

steam.exesteam.exeSteamSetup.exe

description	ioc	process
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_status_mobile_ingame.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_rstick_touch.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_touchpad_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_l_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_lg.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\interstitial_controller_magnify.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_r2_soft.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_rfn_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_rtrackpad_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_dpad_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0150.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\avatar_184blank.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\dualshock_4_dutch.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_l_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\templates\controller_ps4_gamepad_joystick.vdf_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\ko.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\logs\systemdockmanager.txt	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0130.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0350.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_080_input_0180.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0341.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\steam_controller_japanese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_dpad_up.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_lt_soft_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_r5.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\Receipt_CC_UseLimit.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\offline_vietnamese.html_	steam.exe
File created	C:\Program Files (x86)\Steam\bin\SteamService.exe	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\shared_koreana-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_color_button_x.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_rb_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_r2_half_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_rb_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_lstick_up_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0311.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0451.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\nav_highlight_selected.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\c18.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_lstick_up_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_ring_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_l_touch_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0522.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_rfn_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_left_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_rstick_down.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_up_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_search_disabled.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_l2_half_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_gyro_pitch.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_mouse_mid_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_l1_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_button_logo_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_profanity_schinese.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\locales\fil.pak_	steam.exe
File created	C:\Program Files (x86)\Steam\package\resources_all.zip.vz.3d492fce87e5ccddbb855f26680b0c6798901010_2867227	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_030_inv_0321.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_035_magic_0333.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\win32_win_close_disabled.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_l_left_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_ltrackpad_right_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_p1_sm.png_	steam.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SteamSetup.exesteamservice.exesteam.exegldriverquery.exevulkandriverquery.exesteamerrorreporter.exetinytask.exetinytask.exesteam.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tinytask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tinytask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

steamwebhelper.exesteam.exesteam.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 41 IoCs

Processes:

steamservice.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{899883EE-D6E3-4DE6-8891-DCE903EFCE15}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe

NTFS ADS 3 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 509952.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 697129.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 446836.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeSteamSetup.exesteam.exe

pid	process
3480	msedge.exe
3480	msedge.exe
1808	msedge.exe
1808	msedge.exe
4072	msedge.exe
4072	msedge.exe
3100	identity_helper.exe
3100	identity_helper.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
868	msedge.exe
868	msedge.exe
216	msedge.exe
216	msedge.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
3124	SteamSetup.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe
12740	steam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

steam.exe

pid process

12740 steam.exe

pid	process
12740	steam.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

Processes:

msedge.exe

pid	process
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

steamservice.exesteamwebhelper.exe

description	pid	process
Token: SeSecurityPrivilege	772	steamservice.exe
Token: SeSecurityPrivilege	772	steamservice.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe
Token: SeShutdownPrivilege	12800	steamwebhelper.exe
Token: SeCreatePagefilePrivilege	12800	steamwebhelper.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exesteamwebhelper.exe

pid	process
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
12800	steamwebhelper.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exesteamwebhelper.exe

pid	process
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
1808	msedge.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe
12800	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SteamSetup.exesteamservice.exesteam.exe

pid process

3124 SteamSetup.exe
772 steamservice.exe
12740 steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1808 wrote to memory of 3312	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 3312	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 4604	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 3480	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 3480	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe
PID 1808 wrote to memory of 2336	1808	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/login
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff877946f8,0x7fff87794708,0x7fff87794718
2⤵
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
2⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
2⤵
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
2⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
2⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4100 /prefetch:8
2⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4108 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
2⤵
PID:2680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
2⤵
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
2⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
2⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
2⤵
PID:2920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5140 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1128 /prefetch:1
2⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
2⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
2⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
2⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
2⤵
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
2⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
2⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
2⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
2⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
2⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
2⤵
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
2⤵
PID:368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2084 /prefetch:8
2⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
2⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3888 /prefetch:8
2⤵
PID:936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:868

C:\Users\Admin\Downloads\tinytask.exe
"C:\Users\Admin\Downloads\tinytask.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1096

C:\Users\Admin\Downloads\tinytask.exe
"C:\Users\Admin\Downloads\tinytask.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
2⤵
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
2⤵
PID:1812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
2⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
2⤵
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1
2⤵
PID:732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
2⤵
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
2⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
2⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
2⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7292 /prefetch:1
2⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
2⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5916 /prefetch:8
2⤵
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7192 /prefetch:8
2⤵
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
2⤵
PID:2068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
2⤵
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,4830595720199635384,3121242565060746435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7228 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:216

C:\Users\Admin\Downloads\SteamSetup.exe
"C:\Users\Admin\Downloads\SteamSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3124

C:\Program Files (x86)\Steam\bin\steamservice.exe
"C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3152

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:12740

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=12740" "-buildid=1726604483" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:12800

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1726604483 --initial-client-data=0x368,0x36c,0x370,0x344,0x374,0x7fff7670ee38,0x7fff7670ee48,0x7fff7670ee58
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:12836

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1596 --field-trial-handle=1728,i,4964421084259799098,1373526556961846604,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:12992

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2204 --field-trial-handle=1728,i,4964421084259799098,1373526556961846604,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:13132

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2556 --field-trial-handle=1728,i,4964421084259799098,1373526556961846604,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:13388

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --first-renderer-process --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1728,i,4964421084259799098,1373526556961846604,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:13432

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2596 --field-trial-handle=1728,i,4964421084259799098,1373526556961846604,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:14380

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3716 --field-trial-handle=1728,i,4964421084259799098,1373526556961846604,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:14864

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1636 --field-trial-handle=1728,i,4964421084259799098,1373526556961846604,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15320

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1756 --field-trial-handle=1728,i,4964421084259799098,1373526556961846604,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:17272

C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
.\bin\gldriverquery64.exe
3⤵
- Executes dropped EXE
PID:13324

C:\Program Files (x86)\Steam\bin\gldriverquery.exe
.\bin\gldriverquery.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:13712

C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
.\bin\vulkandriverquery64.exe
3⤵
- Executes dropped EXE
PID:13760

C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
.\bin\vulkandriverquery.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:13844

C:\Program Files (x86)\Steam\steamerrorreporter.exe
C:\Program Files (x86)\Steam\steam
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:16816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x528
1⤵
PID:13300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.5MB

MD5
ba0ea9249da4ab8f62432617489ae5a6

SHA1
d8873c5dcb6e128c39cf0c423b502821343659a7

SHA256
ce177dc8cf42513ff819c7b8597c7be290f9e98632a34ecd868dc76003421f0d

SHA512
52958d55b03e1ddc69afc2f1a02f7813199e4b3bf114514c438ab4d10d5ca83b865ba6090550951c0a43b666c6728304009572212444a27a3f5184663f4b0b8b

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
0340d1a0bbdb8f3017d2326f4e351e0a

SHA1
90d078e9f732794db5b0ffeb781a1f2ed2966139

SHA256
0fcd7ae491b467858f2a8745c5ecdd55451399778c2119517ee686d1f264b544

SHA512
9d23e020875ed35825169a6542512ec2ffdb349472a12eb1e59ddc635e57c8fd65fa919873821e35c755aa7d027c9a62d3d0fa617340449d7b2c4cf8dd707e93

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
4c81277a127e3d65fb5065f518ffe9c2

SHA1
253264b9b56e5bac0714d5be6cade09ae74c2a3a

SHA256
76a6bd74194efd819d33802decdfddaae893069d7000e44944dda05022cfa6d9

SHA512
be077b61f3b6d56a1f4d24957deaf18d2dff699bda6569604aac4f1edb57c3cfd0abc5e2a67809f72e31a90b4aed0813536c153886da2099376964c60e56001a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
2158881817b9163bf0fd4724d549aed4

SHA1
c500f2e8f47a11129114ee4f19524aee8fecc502

SHA256
650a265dffdc5dc50200bb82d56f416a3a423eecc08c962cfd1ba2d40a1ff3f7

SHA512
f3594aad9d6c50254f690c903f078a5b7a58c33bd418abdad711ebb74cfbdb5564679593e08fb2d4378faaf4160d45e3d276ba1aa8a174ed77a5791bcac46f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
27KB

MD5
4aa91eccee3d15287b8f2a01e4254255

SHA1
d89f8203934a66b5741256aee086c04f966cc6d7

SHA256
79c601189597c9c5691b763f0ec6fdc9ec8339eea80e49713f76e9fe9199a7d7

SHA512
46424f50d444aebf1dc3a93607b3a374d3e7e988137e291cd8ec28211d05a687d0b6214b45d6dbfd27608728df6b34138504e3343e6bbfd6e1c0af98199179e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
18KB

MD5
a6eead536e5a4d028a3538b3d46bfbe7

SHA1
6fa4331371147b2099e898b2cde79e32f6a29491

SHA256
bf9d968e95aa378078677c02da00c0651bdc00c2859f31555d03ca67dd8e7afe

SHA512
a102aba1290726a905ad34489d80eb2f46b52216d55d57ab427f2729401edf51a5eace8b8e991d120f304861188fdbaa55c99f0f8e18fdc4b895fc261c634fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
70KB

MD5
9100ad14d6c59eef0dcbe42ede8b431d

SHA1
b092b9d5583676633636a4492e098e7fc5acbae8

SHA256
135d4096fdaba85294e2e38bb8d5c7cabb41c073d5c71673462ae5ed67dd893a

SHA512
90f5d46dd5993caa75aa7a02cf86b6709ed195d76b35a1cac9d200b20303b7155c66eb10ee03b09a13f88ec6ab8a469767caffe99fbc4dde9162943313eb665e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044

Filesize
53KB

MD5
bd93386ecf14379c22eaf08d5561c90c

SHA1
99ce7b5b0b4031988f11f7e5ccacd1debbb4bf81

SHA256
cf3d8bb9a7a666f2e5dc71b0b97b97c3a3400765d0e3e9b6ba6122a18aedc67f

SHA512
00e8a04906362656b25b45825a9fa932b839d58d3da9bacbc80474ebb88699a55c13f8aa8eb3a53a0eb209c4796aedf081ec89aafec50ffc5d8bad8890085568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

Filesize
17KB

MD5
b3d063ee9a3720719069f50c7048cd4b

SHA1
48dc883860f0b737a5478d8b4576a4a2c6340434

SHA256
a874713e3e0eb8493a6e41b0b78eade498ee3f50325076920c9fbd1c6b015ab9

SHA512
eecffe1a83fedd864d883e35a13d6c574b6e8cb95fbc5c984c13da1d9081e51f928ad91037af263aa2a0502ff0506f7ab1f11bcb66838fdc3fbeae9a621913e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

Filesize
40KB

MD5
23dccd50c1598cf87c321dd0e788e2e4

SHA1
4697f41531098e96b97de4ca6626fd86621efb1e

SHA256
167b5e3d2fc6a069ef986144f71f70ca1ed8c4332846757c8aa4792703420635

SHA512
00174629a41be7b3d69e0ef03041aab41adae416c39209934b8a9c3923350010ddf01ce8d37cedd6bd57769796b41ee3c18c1b393726988039b556416c20f676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000077

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
07792073954affcf5fa9926ac23b57e4

SHA1
1a0a346aa92615cc5b5f2bbf522f7143317e6049

SHA256
7dc1a7066cbfc4378ac1320dbdbfe23440030f3df13f7236df3c3968fe31fb84

SHA512
1ae9f285759d6f58eeb9c6cd0600e3f5b75f1674511e69d3196f4848f8d8f079fc6bba7b9d419f35cff9f9e3271d8f48d1286971fe49194b90311969c2337ade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
661931f504148a8909c63969c64dcab1

SHA1
8c2e3e3087d7aeaee187d386690c7c9cf16e5175

SHA256
a17140af7fea727dd56002926031c23d243fe9143008dc06ead65d826cc1fdbe

SHA512
ce0062adccbb6e115790d47d554677d0357cb81c923bafeb0ceb578158e22c0d0b65d8aa67ff8e02e79377be136a65696109783644e2d1673736abc2c7237b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0c08f6f505bccf63004394cc31187ecf

SHA1
e502b6233e8a2848fef9f9b14e301020d4614fd7

SHA256
2fff7c07ce2a9655bb431f7efd3799993fb1ef6badb8c630b38479d3574f4ed2

SHA512
6d55800c04e97b60c75772264e69b995ac717b0cc90ee19de439f2229c29b590d8e7edc7b7cea5e618a09141aad9414d0a7973ed6fc5b2ddc3559acba155c383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ba980d1af45b8d962bf6ddede78c3a89

SHA1
c082b3aa65cb353d3c0c296cf671009cf86fce9b

SHA256
b4067b5f9fe143fc134c777f252afbf0033b84ce40181bceb480b0be32e831ff

SHA512
f381d3330f1821fc8437f4745c0a55f12283729ba5c09d4cda3e3360a5ca8f4da8f4ab92fff1b8cefbea0e6af2972bb9642cc467ecb544629b5cbe0724d6b34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
18089f6a2cadf41650ba3a265bfbcd73

SHA1
d6b970f156d2c9a43059b9596cfcd347989478c8

SHA256
7446bdcc08820e8ee63acdb4befdb286ef0f0cba43a673c501666bb19caf77c1

SHA512
a7c9c3b5e81c63ece9fb6043c73f681e8795cd1e62fe2434e57d5c7dbddabce3b11351c7e1450b3ccabc1616d54a42212950df673b223b8fe87baa140ab4bcea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
179B

MD5
c88a3bc77002a075b95198522f195432

SHA1
dd6ff073c9b7fa86d1a461013165a7251443e777

SHA256
8f8c6061b94669fcf151b9f8f1c979a33ad38d597be893f375bff44ad1b3556d

SHA512
e3facaf13afeab1a90a5c15f31288611e7af177fed3e4474aefee3560c5e1129579ea74857f5a3845b8f04c117e6c5af45c87df5d0b003e1259d918b7b0dff1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
939B

MD5
66c571d2591fb0827d95d90a57366399

SHA1
d8392a74ac1d849fcaa7b83316aac5779f1582ae

SHA256
dc627219d3be247bc4d270cff0e7f0313aa42f1ad75f7811863f48c7f873aaac

SHA512
53088441a1310a232e35568caabe677c23d290421c1f1da93432f0eb34b4faa5b94a073bf0e0ed42f0cd26b4805afd75b186f92bd4e2699713fa25a55e9297aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
57b52e5e0a9bc262ed2e2a14ea5a94f2

SHA1
2458c31b31ec11b9a6cdfb8d3fe45583f8b23239

SHA256
66e4eefcab33965761e9af13c8c016dd7c6f14b96cc083f64759c9b7a7768fa2

SHA512
22be0348ef05ac3cfe3d15f28c11efc3ad8cba8745ff8ea52359ccca67654e6aa706c0dedbee7bea1bb40f7f1c23b5407d0f0335e108d8f274cfbf445c3b32ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
28ae20418cfdba0036b67e7cc612b75f

SHA1
1d6cc7f353d96e6b6f0771740dc33476b9568a6b

SHA256
66f79ae5d59ca48ecacabda3392c6aad26b7068864d25691efef1298f1285c3f

SHA512
52b8b3aba46c8d53458017652bdb082f1710e6182fb4e0d0dbe2a6551826f99ed35e16ae332185338855aede4867fb54e7e2815027441c6f9edb67e467955d01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d71b648aba40267f8296c863119b5d90

SHA1
84d7fd49efad526206d26d289887d30d3ff0e661

SHA256
34066660085f1ee3fb775363e7c2c031b49c8a7f6c918187eabb382cda32828c

SHA512
28982b19343fb31c17cddab9f7f2df5b3771a2b1f5227aed6c1a4a2915fc934288926cd7359a0b241567b88e44efc7b889bccb3699e6a604a61224ee44d7b165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
903d4a33f01dc01d21e18ab7bff0bc45

SHA1
9ce1a484f818ab4f6e0e0f1aec6ea50fca19dd22

SHA256
9b54269398f51f9dbf542e173a10bd8d96e4aa088cd723b4f22c77f0c9884bd2

SHA512
2c8fef249580daca4715d8461ff0e7ba948ce80e996081c5928149628e1487a5f14f5eb6eb8f91571e6c21e200fdbbc2f25c6a7047ba8f6a49262464de8d1617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
55c03b01a0a32cbf83b1431e1db34509

SHA1
070fd12dd1412c97b7388e43cc72de324b3e468b

SHA256
35b45db902aa5754c88fc78e46528be14b813a44152bad383386c83eb29930c0

SHA512
79db04ebb5518379c499f4eb6d548fd9a16850793cf66257c4712e15752e5f982ead77ab5d441126a7949cac85cc59083f12132db0b9a1878d0bf0c9559705ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c4311658fd82a863457ed6f575b63c22

SHA1
eba98a2f38613ab80eb0895e647cdb5ec59015bb

SHA256
37e83cde4d0e6f9d570b50f6de7c9236bebde1d39e4d0f7b6c077143eb2cf9d1

SHA512
35f4954d95661b097a64c01a346b97bf72b2a68b04a1114286b143f55fb87690e4a88dd2e7c7579b562bf77545564d8f80d0d08c3ff2cf3449b6f9b4d52815c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
de33c082f95e17d14be490c81971f94e

SHA1
b62becdb6984a32068973b3e3f08ab81a107ce5d

SHA256
e2682088b4dde6a933b83405b9947bc209de5afa109ea736c5fcb9266f81e3e5

SHA512
63adfc776cc908dafbb20574ae56c8277a1dff1b9d5993b03f936c74b23aeb0866c33b08fe2fcbb4c5285b36c3e43015793052686405bb8366bca9998b5d711f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bf4f919c95354705abf50a491a598bd8

SHA1
134bac498950a134e4adb029233695b805c5eebe

SHA256
bd8b5a15e52352e97492f685ebc985976b5ac068c044ad9bc446c01d75ea31c3

SHA512
dcc368daa1c6e2fc6a034037dc03fbc464d9da2a44ec35b39727115d2e9c9d3d9608e103122600681b67068dd4e386404d1c1e1b9fb1266fa9ed5770a83d7584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b30c97e271fa21a76d769ba67ff17c34

SHA1
52a27059a8da7ca1576a2080d5e68d22cd902849

SHA256
b9abe20543b8bac244b609b175a72ea866aef358ecf7d3e22397361151877491

SHA512
f3a0f5672c64ccb1dcfe34ad5c00878aa89f63e5e9d6c72ca2b8375021ad54dfebf025493dc83937c18b3014c146c435a84560587cf8f1597ef04713f86f507f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
64abdc0baa9b69990c1a77b0a7f5fd6d

SHA1
d7a02ea936aa9fa1654e235d22fe26486e9fd7c9

SHA256
b1b67cbb332fcc6c20b4d5096530c162639e92c0b034a9faf136148d713170f0

SHA512
9c3ab5bff6daf5b90006b2b0738cc9515661a1e87e05e9e4db6f71a5c377cc8a480ba466eb8b149fa7fc7e008f4c93dfad02699e8261fbebcb0476cc77a6ae54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
251e749761dadfce7d8bbae69806d81a

SHA1
197f5bf980ac5e7f8fb20abc57cd16fdc2e34831

SHA256
6a34aa637e0d2e9af851523e1cb5e90d59880f72b3a8f04d43890fc45b7abdd3

SHA512
737e72a36c399d06ef5ceaf5662b10e0b2298aa53836aeb5a5eddaaece70f9df6cb80c9bb7b8afe63331769be5e4444ba96a885f7eff2d3f8f639e90c3601c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
eebd98a68b3ab68614a714cdcbb83465

SHA1
7bf4af1c0adb7b6745dc3cb3978e47d796f188aa

SHA256
18fc397281f8f00fc52a57be17c15d61594721180f682e13f747c3a99ae4abb5

SHA512
0e8b6746698296fabdc2f47c009407b2c6e244e930464f13ecebd024e914f0eca0de127cec6b7ea535922ff7c4d9ea7626bdb45edadca2dae1b38f4be2fdc0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
cb436c69a0a8cadd98d19de31d4d4747

SHA1
a3d705473133420136ed624788ac255bb0d2a028

SHA256
3a8d6094b9b1934d84b073d0925e0093a32f05faa9d67869fcaa2d46f81f8680

SHA512
094b5f02dd6fd6bacf9a47029d0c1a2f0b731d98d31294b1a9e48924628244536e177145362548d15e45405d55fe58c59657a016cde77e9cc56d6bcaf87c4eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ef5bc26e0b656f574c4e9f9e042932e9

SHA1
3c987852500b407e700940873845a3e3580bc914

SHA256
49ccd5d25a19a715f368992fdeb7558841e4559eb2ebb8f50a7d9cb444ab43fe

SHA512
691ceeabda6eef923707d57380414266e9b70008e3ca9e06c1d9ce37e27dd5ae55eff3a99129a9f3561bb13145aa361fca99eb5762e235cc241ddde47771593e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e3bc97609ba7b038bca2a1a74ea347e

SHA1
0ee44791474b80d989bacb067ce15c7df429f8b7

SHA256
a0d345069df303b58d63a90e097d894fe40aa0f321229800611e749dd2e24296

SHA512
f72296976f1580383936e231be95c0d3f98393c2cf6c6cc7e26666f6ef2b37ec9787b1339e3bdf12d3be26a007fdde89c050954530bbe073e0cf5c6ca992d19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f788b0e11dae8486cc8cc10f19f62d44

SHA1
bfc5a4ec07b2d6f0c196c2c3a2a03b53f735f330

SHA256
528867baeb6d308c2b01564b8d72a7529884bed4243fa986322c4ab7904fb498

SHA512
8b56bc4d1125f399afaa5978931006c8032b239e3b19674a133061a82b3748b48c7312b4c80aef560c4c1772b7b316cc38ea70b576453503ecfd8c19a6f027eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
803a4d2ee4d839fdb034f9dc446b3e55

SHA1
2de45b213c0f87076657ec6704c932ff4f329c1c

SHA256
8c957e57ed4d03bab38861079893ab7f299cdc82cad772fae66b78d40a1b48ab

SHA512
fb36be4291eafc2d09f260b9bf5617ffe4edb18934772aba0e3a268172d97558b4c3dcea8d9bcd98b6c79f7b1b2958e588690e240e2504dab4d0409379455701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
67cc74b8c7ac35eb2dcc72ab700863bb

SHA1
066a11c075b61a81cf24febb947b22a21a81038d

SHA256
f2b8b0b8a9eca1d1770ff2d309fdbf103683e103c221f0d3a84997e55284f2f2

SHA512
640a9daf2915dac83f67d3d229c762c087bb152bdd68d2b63aaeccbd64af89e37a2c8fbbae69430bc267556683cfed936c03bf59f2403529557f0f4d61126a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e695f183eb9ec0c73dffc721c42447da

SHA1
4a0b1da52dfeee2e76f7c1552b6f1c80b4d51067

SHA256
4cc9a7502aa868e292abb40810b6501386ce2823d378125cf65d1f0969897d4a

SHA512
fa185c9d1928e12227e23f3a66618b3a8f261ef63d8bd5c32acbbeb062c6fbafc3c9a26d4a59c7be8876e6b90d52307f8b963cf533dc9a6d798a06fab99c5d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e2eb9e96c4f05b760b137eda002e8db1

SHA1
e2d8ddb4d1fd560a14a3d0455829aae325d78714

SHA256
0e108c3d461cb068fbbd292b35d6d59547caedeb950bb140fbc0250264e3d4f3

SHA512
ee32a1ac4b606c59fb6dc1e614d5c8e403dfd9d68a978365bec30f83e6882ccbabb56df904a603b9f88c7f84903fd7e58138c7cf9eae825cc71f356ec4898c95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6a4281a33879d591b692ed0aeedec881

SHA1
4f545fe3d696550ddbdf44aaf85592392d37847d

SHA256
7b8534eb0babde959d35f322becd26f1f1af84e73400c03a2c4b6c4ce618b1b9

SHA512
c4d3f237a9255ddfa5e329a02e2354979d4b835bae4431b1aca84e08c6537649aa3f5c83ecdf30b7216764c29c6e9d95d51cd1d3fde620ec15471e8b1094f736

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a3da650bd0cb49110c776c75e4a49de3

SHA1
b0a877dd2d562e1850e5262282c29f6db651c840

SHA256
e47846b6beb063d804ed4bdd4dc33d9cad730ecef8db2e6785ce5180d221c5ff

SHA512
3b5c47c3f1e5dbe5c8d5aa3180ca1f49d3d9c77d2f726d2ff9874c8e099cf15a27faffa65d625fecbd0409e44b2d234f7761431e82a70a68d1c54033dedaa83a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
899e7fd16ffb6a3c9f40b720df13efa7

SHA1
ffb40bd59b55f7265a007ada6ee41577759aea75

SHA256
62ac19a79b80739198cdf5e6e496aa95fa4204e58059bf6be180cc6af20c97af

SHA512
df061ae988932307b66f90fe7ca4ad9d958ff1e341ce8136b2f63b7915ad8619ad4a6ae2793fee19c7777969c95b8ccb6eb008199b73623ccff5078891532e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5cef69.TMP

Filesize
370B

MD5
b5ee996c9521a2f0f13b0127f0493233

SHA1
3395e1f9cd3be6935bd6113f4fd5b1abfa9f5bbd

SHA256
219a41cbfc3047d09d5d02332c52b9c982899ee90e577fa6251de6195730310d

SHA512
2255c9fe1481b8efca6e46152af5d8449d01c4dd434a45663a9a83c386f946598d9323ee4cee1db638916ce81fb45eb542864daa0c39471e12059d99c2576871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ab73b3f55292a467d1cfe9fe885c8bf0

SHA1
ea246b9f5b2f7e65fffc0e147e674664bc858268

SHA256
de1af8624edd0d94c0a78630ce61381543356dd194ab975ac78ec3b198ff9fdb

SHA512
c69c3dd4b63d16e04131c186dd6ce3df002ff6fb7ff0ab9e2cddc7adb276e7d0c8d41b26a06f71716ce350d040d7b725a2b5ff6a4f3c349ba50107a859084dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
158fdbd964156a06c3c7034f68ff9943

SHA1
4b8b723f67a5c3dc5fbb8a15a0b85bcf75d92f6b

SHA256
fcd6719ad774c110ea908b0d73c0107611dcad1df2213af53a0bfd90c15a1808

SHA512
db435a650e771512ece5378b8b4c9e9c60306b33453f149c83c0e268e43b2efa6afdb73ff20e4472432b5538d0f32d129723faec5159e5b82fc2fdef249a738b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7dbb7256b0ae1073240c5c37ef75dbc2

SHA1
651028e5b21024302f7e4a1bbb07a5682de1d662

SHA256
3120fcf966ad3d152a09d011408f99472f5acb4cc0e7a30cfa61504c8120117c

SHA512
3a63249c25f950dc4a8cad4068a2827456578ef06879ca91720d11ec2376859360f44c314b9c388126cc56c672d91d41d6380fc6cc225c09b3b1931b8bae973f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7e98727066b51ed7770c7adba079b246

SHA1
dc352820195ebe2163cef3be2e63b62b4e3dece1

SHA256
8c304691a45e0cb1c568c722d0cb0cad5d0351489fb10a7144324bbd1e41aa59

SHA512
2178c7b6ead1543066dd92c77bcca5bba81249e63e606653bfaf88a1c6518ba7f68b9ab2592c66a7fbfd4de7d07fc882259345dad87ceb307790a178d962d46b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fef8397e0ea39f29064deb2b0e1f4fb8

SHA1
f7d3424241e54189504e02ebeff010c4a467dfcb

SHA256
8cf16012d327e7409b0f3278f8f6d332a9834b984c36bbbbfbfccf42512e4429

SHA512
7de3e9f48d05c6ea75a09d3f54589efcd787f1d2c1cfa916679de4427f32126c8516c97a23d6016f36da5a37255f8648dc83db4d2d056c803fd0212363698a14

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Cache\Cache_Data\f_000010

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
6dffe330a1d8134011297d7180ea94d0

SHA1
87b615558ed6b4c5bc41e75c54c7730618b84988

SHA256
fefd086a6c91370aa43140c5564c525001af13d41740d2ecdd4c741ab3dd1391

SHA512
cfef6e83131aa4f41462dd1ae9ff000e8b8939ed4422813a30b538bae369afb3491790a2c5c0ba5664663a30ee45ebfd117488a1000fd5bdf8ccc907dfe18ac7

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
346b9a863909bdf01232bb9af4fe7d54

SHA1
36036f867fc0880ed45dd0daa3a526d675f2ae47

SHA256
f54d8c645587ab28d8bfa4dba89b1f172d8bee3e3159021129a9d33b97bcafeb

SHA512
854519750527a4cc04a39a5122048bfcdd69f16430935b9199b97ba736da394d1cfeaa1466c0e38ef988088b6fa200f5afe5acdbc15f27c53210ff8001b8b3db

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index~RFe62cca1.TMP

Filesize
48B

MD5
74451e2cb9da0d32826b5792f728bbf1

SHA1
a0bdd2ebf6c0e109720f404ef4988a0f99bdfd81

SHA256
ddb65c6467517084926ffffa04395577d0961e5629610c2e05d0b0bea595afe0

SHA512
f7b84695b80296190044eba018b3d6048ce7a106d47b8b5804921ff3e7633d78ed2a6dacc351cd5844fc3c89d5bff20221af344ce227610ae85227c04dc753c7

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_1

Filesize
264KB

MD5
522229dda9c72d7e17aaea4724a0ba8c

SHA1
91e877771ecf8c34efb4c5d91d7c302a0fb25132

SHA256
a3a790f70f91aeb190503ea989248ad7d0bf2f145d8544a3b5acd6ce258ac313

SHA512
6c2e7f8379329af5908da289c7e2e9fb4d5a9e0d5d355664d42f8a4aecb107510c451d5162abc59cb758e9964952eb3bbfc28a3669474d2720a78c1518695eda

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
700B

MD5
b3ae7daa8cc95bbf1e97232cb2f59d9a

SHA1
bb3accf488a389d3c6b2bf7c47601f667fd00f6c

SHA256
40ef513a0c2c57513191b480c36c020598db05b21183e592b0c5287b7e10da4f

SHA512
a41a20999e4aac64276736ad553997c221986437a326fac1178c8950bcaa045ed119855967e318fb63a0f698e58e6bccd33a3e52877541278bbb40664726c17d

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json~RFe6388ec.TMP

Filesize
484B

MD5
67acc611c8268b490c7eaef0dec5eee4

SHA1
1cd6a34a6797ef8471d197717bafd5be02e3c5f4

SHA256
09ec902f0561f029c1f6345949c59417456bfcde6efc485e1c0727a220bde4aa

SHA512
ecc9d18e628d305489103130b338d231140588135243d37519b1136247d98fe8fc41bc56d728e641face469733266c357e70bd53632e903a63354ae0d0a15eaf

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
685B

MD5
0f612565400817a3fefed79ec2f581f0

SHA1
1ea89524c55f9421ede01232a32209131fe95e45

SHA256
6d49254dab92bcddd1342f748f9b79fefd710f28f567bc620b33d920651d790a

SHA512
f68b14fbcb28f4a8f0b8387ddb85a4858855e3a6570056dbeb5968124b317eadf9869b1e896c38b9713eb742e082953a6dd91c8475178e9d1b5c0210a0c5034e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
1KB

MD5
429511e31cc3434bd291ff7c4583fa96

SHA1
c03fed7cf5e6e0d654139bfcfa055fb324634f80

SHA256
df73089ffbe6ec58fd044168e0e2fd5ee6997cfcc37030f7aff3bd2cf4d32b6d

SHA512
37783aeba2d3b9fc34c925ad91af2ce7f8c7786e51cdf097906f4319170b457d2f94541009fd6b14d12ec51fb2468f56abe92ba90b02f49684c81240216ecec1

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe639bb9.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
539B

MD5
c6f7af068e7c2037e423fa8f6d7495a3

SHA1
2a688c4915376bd21cbbd93ca420a69e6d71f958

SHA256
9b202d3bee28c6882a318671fc247039afb4dc3cda98dc6dd5517f1f8deb9330

SHA512
a5b0ebdb31b56ab5360ddac1a4b308b7b6606af26aaeb3d158b19b8c73feb39ab6b0aae163e4e0d2132511c66504749ff4642c28e2a231b39b1e3df37e06e5c4

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity

Filesize
203B

MD5
9e14c26812e90decd1b0b56fc2e7ad26

SHA1
9d2b8c1aa91967810f5bf31067c22e057e76b83d

SHA256
22e744065f5f393055920e9859c523da3950ffee07390f5837363c9addf11314

SHA512
7714317d7e565e67f61861e1eaf0d27e2a0380eb6bf4093b83b09a23249ea8e350fccdcc8a271790f2031e002db0058fec3425aaad479986698c7e7b31bca546

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\TransportSecurity~RFe632560.TMP

Filesize
203B

MD5
4a0a2d038a421c731aff05251cc03e19

SHA1
532363b60dd0283b60e0084fdf68483c5dba13e1

SHA256
94175bd2d54c72de38c360e02499b8fc7784a02cda301f0dac30fc8108275347

SHA512
3f48836c01195a35e5b2d56a5f254febf07bdbfe9544cd3a1b93cc53a4b92f7de13f9137f7b79177dc21f821d711150d02f6e1445af4d30a360af99284c30bc5

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\UserPrefs.json

Filesize
1KB

MD5
61c346d8cdf89609cbb25a6ec5241825

SHA1
af9efd536977f9524d3cb6f6e717096696c83da5

SHA256
753c91936b11e81eb4d253bfe857eab7cac2a3fb8483092ac3c537a51303229c

SHA512
3176405074bab90369922b3f0a27164529c0763db019ec5f0607c3957d14c7c95851ce762c3738e4d1f9c87edbc913fe59f0b33a8005a541b7ca8c5748e65de4

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\UserPrefs.json~RFe632512.TMP

Filesize
1KB

MD5
c933649eb8a8ca39ae31a64164c630c9

SHA1
f0c258a0c2353ad960fe8234209ac809e0e00986

SHA256
8f91abb7471f22032075205991e4c5da6e0cd0978f5c05089f38f66143c4b8ff

SHA512
54358556462a8dd75621dd34f401cfd2646ffed7ae3bd9e2bdf7ae5dc19b1e8b3a9e5550293ebb2ffc7655a15881bf66379a931cd4cfdb7f916e7154d07b89f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvB17F.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvB17F.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvB17F.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvB17F.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvB17F.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvB17F.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
38b893894c1f253c25743df386ce56e7

SHA1
34fb88721f7fe1984c6cdc1a1fa43f6363097f40

SHA256
c3872668d5e7669c4bda061f968efc89f44f9e12d4b29f9f196216ecc84ea72a

SHA512
2ef7edbd5d794ac2f44835135f164af4fae64bf13539cdb423284edbd88859e3b9ff87e2b612d0e9f0c5fd96be356d6d548cf3d5e7e9df2f5fe83ffc55b5b439

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
8d05fc4ccd8140bb005980ef9c323279

SHA1
f51549d04b381bba2cafc404cdb76a9627b0ecbe

SHA256
66db84d821f0bf8a4a824969bb61cfe0f551d0a3d383b152390d22e1a33e2bcf

SHA512
e11e3d344080d781f2674a3145ee5cae98ace0afbd46a9ecea36afb205eca3578a9d5c5705fcf6a09fbfaf33bdaea939dcd48aea08561cf026870b2567805de7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
585bde3ea803b50126a448c8a0869ea7

SHA1
ec3b15ceaec99426a22e5e0b197fd66a2aa6c57e

SHA256
a67cdb5362369b28bb2e8855a07eb90b56402ccea158637ec7cab511fbab03d0

SHA512
5efbed176f8a9034198cf53deed1ed3047eedf95497a72275c56c61fab343487b0d3c4aef6a5017aeaeee3c8fec4b7c9041fa1d9b0f781175e7ecd809a30b9a4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 509952.crdownload

Filesize
35KB

MD5
8fd3551654f0f5281ddbd7e32cb73054

SHA1
9b1c9722847cd57cd11e4de80cd9e8197c3c34cd

SHA256
75e06ac5b7c1adb01ab994633466685e3dcef31d635eba1734fe16c7893ffe12

SHA512
a716f535e363fc1225b1665e1c24693e768d13699ea37bdf57effe4fea24b4b30a2181174f66c35e749b9c845b07f82eecbf282ee5972de0426f847293d46b4b

Download Submit
\??\pipe\LOCAL\crashpad_1808_TPGQKDJGHCJTPHQA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3152-13731-0x0000000000950000-0x0000000000E02000-memory.dmp

Filesize
4.7MB

Download
memory/12740-13860-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14095-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14042-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14043-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14044-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-13832-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-13850-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-13874-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-13893-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14147-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14144-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14143-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14142-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14141-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14140-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14063-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14064-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-13995-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14076-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14077-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14078-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14079-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14080-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14081-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14082-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14083-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14092-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14093-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14094-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14023-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14096-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-13896-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14106-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14118-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14119-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14120-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14121-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14122-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14123-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14124-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14125-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14128-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14129-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-14130-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/12740-13894-0x000000006FB50000-0x0000000070F3B000-memory.dmp

Filesize
19.9MB

Download
memory/13388-13751-0x00007FFF95570000-0x00007FFF95571000-memory.dmp

Filesize
4KB

Download
memory/13388-13752-0x00007FFF956F0000-0x00007FFF956F1000-memory.dmp

Filesize
4KB

Download
memory/15320-14052-0x000002142BBE0000-0x000002142BBE1000-memory.dmp

Filesize
4KB

Download
memory/15320-14053-0x000002142BBE0000-0x000002142BBE1000-memory.dmp

Filesize
4KB

Download
memory/15320-14054-0x000002142BBE0000-0x000002142BBE1000-memory.dmp

Filesize
4KB

Download
memory/15320-14055-0x000002142BBE0000-0x000002142BBE1000-memory.dmp

Filesize
4KB

Download
memory/15320-14056-0x000002142BBE0000-0x000002142BBE1000-memory.dmp

Filesize
4KB

Download
memory/15320-14057-0x000002142BBE0000-0x000002142BBE1000-memory.dmp

Filesize
4KB

Download
memory/15320-14051-0x000002142BBE0000-0x000002142BBE1000-memory.dmp

Filesize
4KB

Download
memory/15320-14047-0x000002142BBE0000-0x000002142BBE1000-memory.dmp

Filesize
4KB

Download
memory/15320-14046-0x000002142BBE0000-0x000002142BBE1000-memory.dmp

Filesize
4KB

Download
memory/15320-14045-0x000002142BBE0000-0x000002142BBE1000-memory.dmp

Filesize
4KB

Download