gh0strat | 17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9

Analysis

max time kernel
109s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
Size

5.5MB
MD5

4d09be4b848196381c0e6a9298c478d8
SHA1

5ddd14eb4feca64fa2afdfa9222454c075ea04dd
SHA256

17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9
SHA512

82f29acc7b8e8536b418bea642c8111ed7a8c9693824bc6cb149f2b994522cb5564c6ea18171af85b111416a728f104ee0b8e51dfc2121c7523c70fe1df21eb8
SSDEEP

98304:NGdVyVT9nOgmhCLEz+/nywvzFNpvyXdUpVpevpVXGmyAp+zBevr6V:KWT9nO704K/tJfCbYBej6

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 9 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2064-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2064-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2064-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1136-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2324-32-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1136-31-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2324-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2324-37-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2324-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral1/memory/2064-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2064-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2064-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1136-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2324-32-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1136-31-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2324-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/files/0x00070000000170b5-39.dat	family_gh0strat
behavioral1/memory/2324-37-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2324-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259437213.txt"	svchos.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Executes dropped EXE 29 IoCs

pid	Process
2064	svchost.exe
1136	TXPlatforn.exe
2324	TXPlatforn.exe
1952	svchos.exe
2672	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
580	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
1800	steamwebhelper.exe
1008	steamwebhelper.exe
2172	steamwebhelper.exe
2264	gldriverquery64.exe
2508	gldriverquery.exe
1892	steamwebhelper.exe
2856	steamwebhelper.exe
2912	steamwebhelper.exe
2700	steamwebhelper.exe
708	vulkandriverquery64.exe
2972	vulkandriverquery.exe
1096	steamwebhelper.exe
2844	steamwebhelper.exe
2660	steamwebhelper.exe
2720	steamwebhelper.exe
3012	steamwebhelper.exe
1780	steamwebhelper.exe
304	steamwebhelper.exe
2256	steamwebhelper.exe
1136	steamwebhelper.exe
1860	steamwebhelper.exe
1260	steamwebhelper.exe

Loads dropped DLL 64 IoCs

pid	Process
1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
1136	TXPlatforn.exe
1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
1952	svchos.exe
2664	svchost.exe
1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
2664	svchost.exe
580	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
2672	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
1800	steamwebhelper.exe
1800	steamwebhelper.exe
1800	steamwebhelper.exe
1800	steamwebhelper.exe
1800	steamwebhelper.exe
1008	steamwebhelper.exe
1008	steamwebhelper.exe
1008	steamwebhelper.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
1800	steamwebhelper.exe
2172	steamwebhelper.exe
2172	steamwebhelper.exe
2172	steamwebhelper.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
2172	steamwebhelper.exe
2172	steamwebhelper.exe
2172	steamwebhelper.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
1800	steamwebhelper.exe
1892	steamwebhelper.exe
1892	steamwebhelper.exe
1892	steamwebhelper.exe
1892	steamwebhelper.exe
1892	steamwebhelper.exe
1892	steamwebhelper.exe
1800	steamwebhelper.exe
1800	steamwebhelper.exe
2856	steamwebhelper.exe
2856	steamwebhelper.exe
2856	steamwebhelper.exe
2912	steamwebhelper.exe
2912	steamwebhelper.exe
2912	steamwebhelper.exe
1800	steamwebhelper.exe
2700	steamwebhelper.exe
2700	steamwebhelper.exe
2700	steamwebhelper.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\259437213.txt	svchos.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	svchos.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2064-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2064-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2064-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2064-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1136-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2324-32-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1136-31-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2324-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2324-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2324-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatforn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2308	cmd.exe
1172	PING.EXE

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1172	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2324	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2064	svchost.exe
Token: SeLoadDriverPrivilege	2324	TXPlatforn.exe
Token: 33	2324	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2324	TXPlatforn.exe
Token: SeShutdownPrivilege	1800	steamwebhelper.exe
Token: SeShutdownPrivilege	1800	steamwebhelper.exe
Token: SeShutdownPrivilege	1800	steamwebhelper.exe
Token: SeShutdownPrivilege	1800	steamwebhelper.exe
Token: SeShutdownPrivilege	1800	steamwebhelper.exe
Token: SeShutdownPrivilege	1800	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe
Token: SeShutdownPrivilege	2660	steamwebhelper.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe
2660	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2064	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	30
PID 1924 wrote to memory of 2064	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	30
PID 1924 wrote to memory of 2064	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	30
PID 1924 wrote to memory of 2064	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	30
PID 1924 wrote to memory of 2064	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	30
PID 1924 wrote to memory of 2064	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	30
PID 1924 wrote to memory of 2064	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	30
PID 2064 wrote to memory of 2308	2064	svchost.exe	32
PID 2064 wrote to memory of 2308	2064	svchost.exe	32
PID 2064 wrote to memory of 2308	2064	svchost.exe	32
PID 2064 wrote to memory of 2308	2064	svchost.exe	32
PID 1136 wrote to memory of 2324	1136	TXPlatforn.exe	33
PID 1136 wrote to memory of 2324	1136	TXPlatforn.exe	33
PID 1136 wrote to memory of 2324	1136	TXPlatforn.exe	33
PID 1136 wrote to memory of 2324	1136	TXPlatforn.exe	33
PID 1136 wrote to memory of 2324	1136	TXPlatforn.exe	33
PID 1136 wrote to memory of 2324	1136	TXPlatforn.exe	33
PID 1136 wrote to memory of 2324	1136	TXPlatforn.exe	33
PID 1924 wrote to memory of 1952	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	34
PID 1924 wrote to memory of 1952	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	34
PID 1924 wrote to memory of 1952	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	34
PID 1924 wrote to memory of 1952	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	34
PID 2308 wrote to memory of 1172	2308	cmd.exe	36
PID 2308 wrote to memory of 1172	2308	cmd.exe	36
PID 2308 wrote to memory of 1172	2308	cmd.exe	36
PID 2308 wrote to memory of 1172	2308	cmd.exe	36
PID 1924 wrote to memory of 2672	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	39
PID 1924 wrote to memory of 2672	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	39
PID 1924 wrote to memory of 2672	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	39
PID 1924 wrote to memory of 2672	1924	17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	39
PID 2664 wrote to memory of 580	2664	svchost.exe	40
PID 2664 wrote to memory of 580	2664	svchost.exe	40
PID 2664 wrote to memory of 580	2664	svchost.exe	40
PID 2664 wrote to memory of 580	2664	svchost.exe	40
PID 2672 wrote to memory of 236	2672	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	42
PID 2672 wrote to memory of 236	2672	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	42
PID 2672 wrote to memory of 236	2672	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	42
PID 2672 wrote to memory of 236	2672	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	42
PID 236 wrote to memory of 1800	236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	43
PID 236 wrote to memory of 1800	236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	43
PID 236 wrote to memory of 1800	236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	43
PID 236 wrote to memory of 1800	236	HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe	43
PID 1800 wrote to memory of 1008	1800	steamwebhelper.exe	44
PID 1800 wrote to memory of 1008	1800	steamwebhelper.exe	44
PID 1800 wrote to memory of 1008	1800	steamwebhelper.exe	44
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45
PID 1800 wrote to memory of 2172	1800	steamwebhelper.exe	45

C:\Users\Admin\AppData\Local\Temp\17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
"C:\Users\Admin\AppData\Local\Temp\17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1172
- C:\Users\Admin\AppData\Local\Temp\svchos.exe
  C:\Users\Admin\AppData\Local\Temp\\svchos.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1952
- C:\Users\Admin\AppData\Local\Temp\HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
  C:\Users\Admin\AppData\Local\Temp\HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
    C:\Users\Admin\AppData\Local\Temp\HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:236
  - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
      C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=236" "-buildid=1726604483" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1726604483 --initial-client-data=0x22c,0x230,0x234,0x200,0x238,0x7fef60cee38,0x7fef60cee48,0x7fef60cee58
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1008
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1128 --field-trial-handle=1176,i,2307073302441873373,2479521877870651843,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2172
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1288 --field-trial-handle=1176,i,2307073302441873373,2479521877870651843,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1588 --field-trial-handle=1176,i,2307073302441873373,2479521877870651843,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2856
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1640 --field-trial-handle=1176,i,2307073302441873373,2479521877870651843,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2184 --field-trial-handle=1176,i,2307073302441873373,2479521877870651843,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2700
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1256 --field-trial-handle=1176,i,2307073302441873373,2479521877870651843,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:1096
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2392 --field-trial-handle=1176,i,2307073302441873373,2479521877870651843,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery64.exe
      .\bin\gldriverquery64.exe
      4⤵
      Executes dropped EXE
      PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery.exe
      .\bin\gldriverquery.exe
      4⤵
      Executes dropped EXE
      PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery64.exe
      .\bin\vulkandriverquery64.exe
      4⤵
      Executes dropped EXE
      PID:708
  - - C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery.exe
      .\bin\vulkandriverquery.exe
      4⤵
      Executes dropped EXE
      PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
      C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=236" "-buildid=1726604483" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=1" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1726604483 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x234,0x7fef655ee38,0x7fef655ee48,0x7fef655ee58
        5⤵
        Executes dropped EXE
        
        PID:2720
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1148 --field-trial-handle=1208,i,11927502398490844052,2588030642228542952,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:3012
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1504 --field-trial-handle=1208,i,11927502398490844052,2588030642228542952,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:1780
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1248 --field-trial-handle=1208,i,11927502398490844052,2588030642228542952,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:2256
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1284 --field-trial-handle=1208,i,11927502398490844052,2588030642228542952,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:304
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --first-renderer-process --force-device-scale-factor=1 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2116 --field-trial-handle=1208,i,11927502398490844052,2588030642228542952,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1552 --field-trial-handle=1208,i,11927502398490844052,2588030642228542952,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:1860
    - - C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2420 --field-trial-handle=1208,i,11927502398490844052,2588030642228542952,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
        5⤵
        Executes dropped EXE
        
        PID:1260

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2324

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:2744

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259437213.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f0e80c0bd00f68141187df8d8f07c43

SHA1
037b90d6c8858ce3483c813caa8d4e170bc8c60d

SHA256
d2d7f58ddb7f05655949e7eecc6e3329bf1ca8847068a7152ce9dad03dbea9f9

SHA512
e1f3d5467749b2bd70d8edb58f52342e4376c655715936139eba20c74ad2213c5e4e3aa9f0d83405607fcdaf6c3b214b41414b9bc140f415de616af42771af44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0dce924579124df2e00e958eb7c4ad7

SHA1
57382bc67ca8d6022271e665043c0d46f3fecb9e

SHA256
d93c0b4a78e47fdfb4baa650e06e067dc28e653f3104ead22cff8b53256eac03

SHA512
d20fa0a147e040efc80126a2d3c85c6bf064529a864f113bead03f0370e7f685fed234f8f04ee5f435c24f0d67306603dfc7710a40012e2ec308e43a8936d12b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdc20f19340c61455b66635469e19b4f

SHA1
25e9e6c8f667a84253b9cee4b20540d18a395392

SHA256
331a150f50d87528f17fcd2ca113fabed7db485e1a654638dfa98af1b4635b50

SHA512
d319486638e35a5f11677a4c9f12c7d3abaa8a6f0c9cc45bcea13fa49512df920c1adb2af8c138acdceb22f37db66d64d513d9a7eb1bfc07328657d0c6bb7e9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79d4fdd23079e0be0be70d2ba892967f

SHA1
1b4dff7810370554f773af1fab8a53d9d64bf5ae

SHA256
70d1f0176ace8c18170cae1d3bfe2bdee3f806e61714ef2e21983e30947ef0f7

SHA512
fa977766391a07ccfdf044361b8035a36c019edaf9871648d53ccc335c611e8266de5211567fc51e48839be126d36454cb8807151d821727f5f0baf98e451297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2d08a81c4e437e53ecb87a2f48def70

SHA1
0d962eb18258a51aef5064d53692747893040920

SHA256
1964cf134f98ff199fbbff19d138b1d3a2fdab7a2fff9b965f92662a60dc1cc5

SHA512
11252eb2694790c25c1783f76ba165b2f2f5d86a17279c767b91a9c032211fa2e2e9b4a0be4dc194b40d93affa2b433af188c51a94d91c95c92e27d04e6cb90e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
25c685ac4464eec21b376cdc9a630836

SHA1
112612a192f837e86790ebe60d5d328a5c144a94

SHA256
25ba30ab7238894582a57a2b799668ca85e509bb6601b0ff77ca456c55246cf6

SHA512
302d980de2445fdd65d9c7df155e8f8c4808a10c983ce61bccc2269fe3e05f4a0a9302ed07a6daae8e81d9a976a79b99ac19ef7dad51d2bd093ac1b15865ad98

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\CURRENT~RFf7804f0.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3988.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_17a32a3f8fb6b5938e08a8396fd96bb025f7d42d2c0cb97aa4b7498c12d0fba9.exe

Filesize
4.2MB

MD5
b52c89b709394038e3ab592831dd5e35

SHA1
e32eded6e6d6f4c846a25119dda83afb751898c1

SHA256
7d0ca9b7dee8c4b3d0ea55d5dd60ab7343bfafb4019d8b33578ede69d6f6ad92

SHA512
288bb968dd7f96f463801da6a11904cc140ebc97f62d72185682549901bfe43863cf4203435d3221e72de1975ad1edb4bfc154fa48f40a45ef0e126c8aec9ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.3MB

MD5
4d399d5f780308dd48f3a036103acc31

SHA1
1e03c77c157441826df2b934a328d3c500a01693

SHA256
86a18ce3c360fc4cf09565955078fb5ecbb72b7ae533c0e395ceb3efe57a6856

SHA512
faf3da905b2570ba82c1f8efa3434d768e08dc95aa0752c1723b17c2eb60a85250b33f57a41a48196c727ad5ba0d117fbbfa76999adfaa156de166399b64896c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3B21.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aom.dll

Filesize
7.1MB

MD5
d764264518e77cc546a5876c3bcebad4

SHA1
ea17d45b396fa193a851bfd345e2b2c20ad60e12

SHA256
e78492de0ab575add50b925bfd44216d224d09904a9b14c17087a92fdcbc15cd

SHA512
7cf132ea5254a55c08186ffcf5e47360ef5ddd57d03d7051171f6753b22e3925304d183c2037bfd320ad56c08e079f9b2c4640db8cb3dbd38ff500c7a39e997f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\audio.dll

Filesize
183KB

MD5
bdbf3fd3d78b9f6e01301748f6d1d280

SHA1
5a6b927c5ac3969f4e4d3aa526a8b7aa4cbb0204

SHA256
9345afacd7f25b7a4ef0e7a02cf1ad4fc3015c93f4c7f7b480aa48cd3b184847

SHA512
b973010a30447b9cece7b3ded7c6bd15399098b7d98da988fe96f14f003c056711547c5d04bc9cf81764680ab11b118168b937dc9445d05f8cab27d457788561

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-console-l1-1-0.dll

Filesize
23KB

MD5
03068ddf42f4e6cf8cbacb82d12acd2c

SHA1
d4a92bace1759a9990de598a31ecc37dcdcc482c

SHA256
633470b3bcc1bf209ac5c9d3e5d8cf1aa0c51af86f7694e088a842908cd6dd62

SHA512
bdc44c95e83f01066ae54e9ebea83e6a2fc0975af1a00814b005b73fea2b004e0a2c52bf812aa945f00eeb132f89e427cdd8c7de463cdb0fe71c81fd97065272

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-console-l1-2-0.dll

Filesize
23KB

MD5
ecc4653141cd6f0980d3de87ada003c6

SHA1
7e911ca31f4320f4355f1ee5ac52d788ef3d55f0

SHA256
d37289cd28bd3d63fc7cb140616bbd2641975b7511d85376e2a9b83729564783

SHA512
44109105a6c21b8b28e8addc241ddf83aaafbedc10ffce73730b9e0973180c0aeaee4e7ae0c4a3c9b10c6c7930e905023066766aa122f43dbd21ab8ae73abcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-datetime-l1-1-0.dll

Filesize
23KB

MD5
43edf34edf20ccdd0ed7acc7b25748ff

SHA1
b474d11f41ca492be762a8de1c13416f31ba9372

SHA256
8d18111e53502f05828578df32101b10a1ee2f4a4504c27046083ddb4bef1ab9

SHA512
5995684ee6265bf4ac4e2cd376193083bdf9693b5ef29b07cf33a86ec373505fd431d47557263d5eb15e6d3ffc9787ca8634037c51b90ab0e7b258fc57f1e3a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-debug-l1-1-0.dll

Filesize
23KB

MD5
fd8029b4da3083b475a48ac76ec4993c

SHA1
040f3273c52e0e963b9a2d11cebfb0bcf06d13c7

SHA256
abacc78b4c8dfb89083aecc59234930460c6b1072c8d55d01369b20fb044181d

SHA512
cd3d4a6a33cd3b698bfec460cc2b9433ef7290558aa031f4d888d9801b5f025900923d51cdc78bc35d81d8c33a3e7ab335b60d7c4cd6a301e60e0506e29208a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
23KB

MD5
3a2dbd4334b9cc234496f2d7cf9e1d26

SHA1
99bdae37b42ce7bd386b0479fa1a1ea3c53caf1b

SHA256
1af61ea6c2bfbb2dfa24ebc20ac50fa69441a641dc60e3dfae8181901cd444c8

SHA512
8cee7c2189b51d8920939b2fc16fb8daf8b10b3ab1a889a8bebb65b5adc10175da0894660bc01a6d11c0eafc93194c4c9045a4f6bd2944628c5362d9ceda6839

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-fibers-l1-1-0.dll

Filesize
23KB

MD5
52ff2bff29dd0d39daf082e77d2bf244

SHA1
452b1787f8b35def0c3dd815a4dc66f7814989e3

SHA256
fc43d6feb3425cf49ac39f242b2c1f8e078df6827fd28d829d27df5f601850f7

SHA512
805e5edf61fd44042e71302b61e236e74a736c1f5ae6ca5f61217b074865544a90aa48530964b3f502eb79c52b123a95245e8c206cec81dec78b11d209ac1308

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l1-1-0.dll

Filesize
27KB

MD5
87f9288def26465cd646991688c0edd8

SHA1
fc327cba7f20d0a2378a5c5609ab426a4ff93013

SHA256
641c7902819e885f1cea916e56df83999ddfc4d7ac150aa056b27e2e2ada7de2

SHA512
8f2c17822daf7c28742c0c7d3849d7433edba99af8ede77c9a03fc4784a73195b7c195bb75b2f0423dcd3c49ae1b8e57177add5cd4c6119693fbc6903e20ff7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l1-2-0.dll

Filesize
23KB

MD5
fcee2ad431d015f2645f6e87083ffd55

SHA1
8a5e202f310afd2832fc8c1a2d431025325fb046

SHA256
dcde2bd75c67d8dd94485e8c19b0a557cf30d980f1d3d23b98b7ec5b30b2a215

SHA512
a31611091139d4ad0fa1f6477fb557a4b2435e4ea90db021d80d66cd943ed4728e5c5a2962061f31c67433441103bf419fac2e3c8eb544402fe2f9428123a856

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l2-1-0.dll

Filesize
23KB

MD5
20cc1bc113ca79a3ae0639e8adcde6e3

SHA1
1d8760c01218059b3e3b5313ad932de13684d0ea

SHA256
e2618f8e40ba85f0eea466af889a311316a545b15f1c982035d68827999e15ad

SHA512
c46d129eb313ef801a7637bbb9a9040fb8f770ea0626146b5028141cede9c7e2a46f58bc3c17f2515cd5bed3f6775ad93cebca57373faec4fcc1821dde1fac58

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-handle-l1-1-0.dll

Filesize
23KB

MD5
d61bba9bf72ba9fe6cfa57b878a946ef

SHA1
2e3e41f596219de5232311dcd6d7fa73342411c3

SHA256
667db417bdb9a7ce632b249616273f8cd3ee69ae6dcfc1b4ed11b16f1378c540

SHA512
34cb9e3f826c13c6a6622508ccdf94e803c080106e26fd311c1dd55d1bc9f3b7451a8984b58f72da3f20fcc837be6b036c27e3286954ad5f6979c70c637cc308

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-heap-l1-1-0.dll

Filesize
23KB

MD5
8aa73ea893c069d0aa98240d57e88fca

SHA1
a14511fa2c916a27ec1fb3a2c207165db6cd7ea4

SHA256
2400936d6a7a396a7c282b9b02df974c463d2b89c7a16dce7d87612908124c76

SHA512
d5f9fa3ccce52a56945bc34f0a58c3cd87412a660d4a84c8c40a50364e550e0f1eda045e9456c9b99e2e46245afd25696ed3f7337bf1398ff088e218b1c1105d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
23KB

MD5
b265d592a17183a8d1450b45fc76df66

SHA1
8e2ce55c543bd41adeb8198067f0dabcf7bf2faf

SHA256
6037a1b25c98e00832ea1e3c8dbcc1a85549992f6286b80d68ad2ccac3d3bec5

SHA512
f67cf871345b17b638d294afbe7c8afe408c6a43fb85df7758d1a8249f56f1f0a74f754b45bc685e00ba5f6d88ba64f25e43b5fcc88d4f0b91a848c748172afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
23KB

MD5
622a8247e84fe7a8cb8ed8bdffbf31f4

SHA1
4656444f64f5d1c20d8c355c74f4d41eb8001246

SHA256
105aa615c6b77e3325700a6325e56a78d584fb1a792c33704b6412b7cf16f36f

SHA512
276cc4b255801d68ba649a7b48d52fc7ead890e31941b9f6b459555711bdf2336494e3178cee41460a2605005630073a0c68c65bc4aaefa2399df0107947a267

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-localization-l1-2-0.dll

Filesize
23KB

MD5
97b1a95703862d7b1a45d8494563bd04

SHA1
f96ca4ebdc21564bd6f4e9bf7ef538f700f702a2

SHA256
4036ec9bc6598c72ba6f6216a6dd24eb9a303070acd4b18bbeffb5228d4c3428

SHA512
bbe64ae065f29596b954b87921a41471ec56e279d273a287e7e777afd032d8fa505e03d883acd91b3bf0b0fe32e7782a652a543729314c9585498809ff394ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-memory-l1-1-0.dll

Filesize
23KB

MD5
497a278be3d7a88000d9bcac0abdaf37

SHA1
4237b72d2ea44d63f6806a8f10dc05824492a9e6

SHA256
5b124268dbb56e55afddbb414bdfbea3439d17bf32022a2c2b25ebca55b07a8a

SHA512
861f6fbe9c210afa71280797a87a909c14e0d1f865f21788a86c187e95069e79c3eef99b4c8250732069fa5160c6a3d60474b9f0a94d0d96b0c447a7fc2b7e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
23KB

MD5
7d60f7c85f257423b6ba52840118e80f

SHA1
7fab0d6b48172e5c9fe5cad4ea65a9b9559c9bcf

SHA256
fa662dd9b22e3f4d59effd6ee1e2beeb4016184f7eea38d26a1a0df888f59f77

SHA512
8c047a9706713ea5c8bc848d4f20b29d51a9b9715aeb937ebd341b94038b4c1d03aa92c19f23126afac4171577cc8ba41202b676f9ceefa1e0f5404bd736575c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
23KB

MD5
2ee0b0440783ce843c2655baba9c76e4

SHA1
4665e7a8f30cedca77351d9321696ad65521da88

SHA256
b912bb78003def510b17b9bbf360fff929b5d5d94298254ef792ec34b82a2bab

SHA512
6fd0336a998b6b824b0b41a58fd25a9ea1dc0e98accd6a4a7902ff29ae1b475f9d7e881276576b7ed39d1b3f855bb1e66458148fe92bc13722fbefc7e56f79fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
23KB

MD5
94e709a3b938de4cfe760545d18e3da2

SHA1
d81ac1d6c4ee2623a7d9a51f6d941c3960118cec

SHA256
0e683c31dff835cf09124c652a654e17f0f0fa99c4bdc91411d75f418992b10e

SHA512
8e7d7305a23f7478934e62a59ed722e9f018af304d2c4ed5ef752ea36594fdee265e99af87db196ca094b1e7fa466393e599cbffb1b2d26364872a508a241ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
23KB

MD5
1308def8f9663fb6b7c476f52cb60675

SHA1
18d7da1e088c1872221b33aaf390618239e31ae8

SHA256
353478f36be9c35bfdf49d48e9080373c13093ed0671683b5eb7a7bae21b0271

SHA512
aae2fa620b6fa96cb4c7135f53bdabbc75f30c60b9cc7c320bb766c5832ecbd0b3f24a140160f3a93b3201e7182634957e5c615e72f2f16874422d2f6ad27897

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-profile-l1-1-0.dll

Filesize
23KB

MD5
b7728c6b8a37780f11ed65cb26f6bed3

SHA1
8e9a01284b2904f3f91d218e1c28ca1ebb982f61

SHA256
7c01b2e4c6e47bc5cece6baaf41ce489594179afe9b3bb55ecdfa3834251fea2

SHA512
ed5f7f6069dce09cd0361e82719068df89f61b4280135e2b1657b04c9a8b053e24b971cd9af31f34f995d31dadd8c2fc218c80840a5ae5a41dcd9c0e88c22e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
23KB

MD5
092dcf30ecf88949733ef075379d0684

SHA1
fdeedb592ce196195c70740bafe23d0b63518cf0

SHA256
d78968f651f021fff75d6e93e4dfab8704fd6f317ccc3e8a6023d4b84d550de6

SHA512
5de27ee9f64c6779f7e0beffd7b3a114a4bfc74bee6f29c21f6b584b3077466bdc81d2276f62f195f3c658ce62e360ffca5999874cd7456520ce646692a47bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-string-l1-1-0.dll

Filesize
23KB

MD5
060f3540d5afdc5335d6c77d71eefc00

SHA1
eb36802b982dba740312d4f1813de725c9315e34

SHA256
a9b13b7b54757e5c39430c3b2f9c59e20ac382092e1813bea2870745b5913702

SHA512
3b172f0f3a3884516de16183e8cf1797ec394c24f98cf5dd846000088c624f83af705f687ed1d8bed0125731cb4fb07d20c358956719cddf477a070c2f846daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-synch-l1-1-0.dll

Filesize
23KB

MD5
040a9e244f28398fc442ecbb5d926ea5

SHA1
f1216233562e53f04e8ba541e7e2aba171c83234

SHA256
13b3355b7a60f1fd6467d789c121ce91cfaa62d412e9ccf5dd59bd69ae0cf6ee

SHA512
a2745daf1712a7552ca434f76508151d16c3528df7b3ae2c72ab05221134783c16ae8152d1eb3e84403e6fc48f3c6d27044066cb84c9e537805a9f2417c90410

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-synch-l1-2-0.dll

Filesize
23KB

MD5
f455b70c2aeb62e5a066f3c92fbc604c

SHA1
3481ef600d680e5a211faff858fede7391c5703e

SHA256
86a25ff00b7ed5374999ec459e7c3c195301414e42e00c5716faa4eec49be2f3

SHA512
6522dd1186267b0daa95a412864fff50b982e1c0bba985749df8894c5997672ad211946d2acc38719d424a6c81603ad70e77333571c57b68da501cfff5abdd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
23KB

MD5
d1d1cfcbcf15736905aa904a4920968d

SHA1
3e2c06622f27d8d4d546b5c46f64cd537dc2ce09

SHA256
654bb2887bdcb4c8d67aedd856a8fe881a10203e921303e7e46cb4613e7aa379

SHA512
bba0bd89fd5264b60c944102985dd809b5ca4fd7ce4ba313bd4e8d3521be8fc06ca82e8d657de0c5b7b8929330c53309d9d6ffbad94ff7067769ae4c5daf5f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-timezone-l1-1-0.dll

Filesize
23KB

MD5
cd4384d834b29da7dfdb9fcea4ab6223

SHA1
b4056ff01555ed2ecefff6001ec053bfe024c52b

SHA256
1926b6136d8fb0687f6d20c95e3a0a5175c4e6f5c092a33c927f2d9a3db9be25

SHA512
282fab1479da157298fe9885037bbf7b13c1b3c29a5758b2fa8602f9e3db975d26373c787e42e16f58fac3073175738e263d717e919809dd020b0546a581fd41

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-util-l1-1-0.dll

Filesize
23KB

MD5
a91581391c80947348f5ce910bb7edba

SHA1
2c73aaa678cdea87ffcca1b1ca52ece9856d6c63

SHA256
6ca2639951d66cdf24da81e8377c38534b06fdc0fa8b9e61637a9d615fc053c4

SHA512
5ef069fcacf0ec7fdd6f38d82bca4a902267f98b16bc033dd0ae4b6d27f8b3069872d35ee9494ce0777e698f5711dfeeb261de979f8ed73297ce185698da1df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-conio-l1-1-0.dll

Filesize
23KB

MD5
052f1dc5169479370e1d93cba74164b4

SHA1
2a8de8c16718829f34c00fed6dccbbad0a329378

SHA256
9a8f77edc424c0acb982f1a3d95804b43e644877f29d7e6770f84f55ceb57097

SHA512
771455fd9c409e27c473ca37e8cbd0da4458d00f09754e29b1fc7df2973243d43d79449fd7cf71907730c6098edd96c109ebab57dc20c908f893538ddb0fffbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-convert-l1-1-0.dll

Filesize
27KB

MD5
eba8a48db9c108f331b1ee877d1bfa34

SHA1
572552bdfb506db07a7d580253645dfdde962edf

SHA256
7e3bdcb763330065d7918f1bf053a31970c7ab4aa65794fb256315d4a17cad20

SHA512
f665d2ffc9d64f18c35121726af4c8e764bc401a96d29ba9e67a3ec3ae6a0a34a4e9beeb541a5cb79d3b4ddf50255a07d7d4b95a4abed6ff4808b8b115dd9648

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-environment-l1-1-0.dll

Filesize
23KB

MD5
0c7a94fa6692d5ace1ab988bda3f638f

SHA1
2708c24ca07b2cca643c6c964a5a1592d162e69a

SHA256
9c023467bc9b8d72b7071f6ff2eecee47a2d93feeee21b787e579f035a545134

SHA512
2fd30032347b6914fb18c95328edf1f44e1d02409221b785086e9d0223fd1b021710cd680bd1994e1e51ba7712025d51c91e3aee86e5a04bacd92e61a9eac05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
23KB

MD5
936b063b07ca5ed344ecba8894a2f81e

SHA1
08fead434135fa721af1b6d523260db7593d1c0f

SHA256
349dc4a320f444123a27bc3ee0dd3771dd085a2f9b30818a7586a9a74e67af91

SHA512
697c5301cd21a080c1e5a96904b06cee11473dd6f6b454a04229903affd6ba6bca28d21f0051730db2365e774f6cac468f0fa7ca77e2bd3ac5cace64992979a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-heap-l1-1-0.dll

Filesize
23KB

MD5
f4669a5e62c2cbdcb2ec53e117cb81b9

SHA1
f86843d53ece07d1847b5e64638bd3823832e5b0

SHA256
6781669609378301d5dce01d8c9187ce9cc50d160fa4022042403f3ad4e55145

SHA512
4ebb9fd49e8cdfbc7b23d0b2961a097b98d351b678e1be0196487972014db13ed2bebfc361eb9e5d51bcf6886df3f9313073f99949559c499c4277a22c4c3385

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-locale-l1-1-0.dll

Filesize
23KB

MD5
942062f614fc18a4fde240b6c430ba97

SHA1
fcbb4afa9a0eb45d1e3e1509137a6af5e0d51e8e

SHA256
43d1f6551c2e6c74f148831956938524bef57ad8d9c1c092ee1fb592797410d9

SHA512
861a7c2a3f22759df2d9f0f6c8f602e930b478cb65c93de583f84e3ac507d57a211057c812faad07539fe4b3bfdf96734024af1c81606dfdf6238effef0e3f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-crt-math-l1-1-0.dll

Filesize
31KB

MD5
1d65c5490dd8f1caebdde1f5b0466e23

SHA1
d9478b035a98e16467cca63fd3366e3e3bbcb783

SHA256
c7ff94b866b7dd4089ce1c6fd7881aa52f3ea98c10ba643107c66c54a989a982

SHA512
c99537c463629ec575519993f311d3cc2463648a2f20fea84e7023ae2d3b21e51842124406fabcf5d6b7433e7746771ab68b18c2615d21a1d0170df2eb81ec0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\logs\bootstrap_log.txt

Filesize
15KB

MD5
25b37222b10c1b65acb1b76a3dc4ab83

SHA1
7721f532a29c52283b59226b28e29edf352f7c64

SHA256
990de6a21189c76a997e12d0ba81a17eaf96f68088cb6021aa507632211e1450

SHA512
4e4a9ef12818fecf887a3eec83108ee2fee3e9c15090984f2cc7a611c1a39d3107f1d6f8b278c6a2de4c76f1aaf0111ab3ca86915904ef77d2665ecbd7a3f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\steam_client_metrics.bin

Filesize
3KB

MD5
178693882dde99fa5d9a0ad45e01ee08

SHA1
07efc9e1f78f48be6a7abf66f504c07ab4611f1a

SHA256
7afa0762e6922953fe11cadc3c9b68d5c7922790521f62917401909ea40b0c8e

SHA512
613c86a0e969528995fab1d65b1fb5ded8315141b597d93c22e3c225f6388b1d19fe70e492f5dcadb7ff7bf7054e71b67491795c6ff142f581f77a59ba7793aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.installed

Filesize
477KB

MD5
584ade27a4b24ad75ec9e4b87abaea86

SHA1
62424222599f150eebb4be55411180d48472b437

SHA256
635521fe11e719d29fc4dd780e2d094ee0e8858249ac852abb5a47ebe593a916

SHA512
b7b0ff6393e60330d0b52fc4dc58a2628db052b0cc0a3a3a989d3376502bdcb691d671ad27a6b335d300e269c8ebce8e3d56e008722bfee685df106729223f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.manifest

Filesize
8KB

MD5
02b5961bd0e56bc64b88ddcf903fc42a

SHA1
6b38e72dfc69a1df2eabfbff33d8c8ba41fcf6b2

SHA256
bd6016432b150c897af0e8ea6a7ae8df353b67a5e6293359b79dde002cabd8e0

SHA512
1539f90f4822b34ec8a841e8482144625738173e2eef5ef33bac75cd4666a20a449b7009ddc4fa04cd53197a2e6cd35075bea65f8583d9eea36813bd964807cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Users\Admin\AppData\Local\Temp\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\public\steambootstrapper_english.txt

Filesize
4KB

MD5
555f3a1a3e2ba4f9a31c0e1c7906f238

SHA1
b0d8b147b34f4812aa5df61fe3b5cf227b4ada7f

SHA256
38c292abd86eb2a50eb4ea1a74efc7dff017f9183e0252892e9adef5f577119c

SHA512
bed445e47f14625063683cb7635500e91632bd7f19f78eb566f8d7ea376ebdcb3994eb4e9d68b7e33acac17dec86c58652f73cb1b85251dde274f2b51741c765

Download Submit
\Users\Admin\AppData\Local\Temp\crashhandler.dll

Filesize
346KB

MD5
8b0b8be2a990e84f4c9aac90e17e9c79

SHA1
cad7fddfe6421c00c005aebe1267f1354e7980e3

SHA256
1e0a3e673d126c8407c3501c6f5910974a9a2604dc13efb92cd09accddf26eb6

SHA512
0c3962e8ed5f5192bd06b604c791865c3179fe5cf71685598e46f0db71b46158f6d124fed8a33c120609419e9d179991a0250db33d12f1b230d6a850402625e6

Download Submit
\Users\Admin\AppData\Local\Temp\svchos.exe

Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
\Windows\SysWOW64\259437213.txt

Filesize
50KB

MD5
c2f57593a59af4de450c4f699419ba99

SHA1
979f0af018433c3ea69b5a357bf0e9c33b3a2c95

SHA256
c13c6ffb30f4e8a5665a8420a343fe64b7ff592c086ee6f3561ce41a7f215930

SHA512
b2080d729f2770848b2d20e0cfb1de117e79fa5cdf63f494bfab5330e718dd974a227b45da2efa87f638dc4299d0d708e67e1331b6d78166df218d4a91c302ee

Download Submit
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/236-13565-0x000000006FEA0000-0x000000007128B000-memory.dmp

Filesize
19.9MB

Download
memory/236-13622-0x000000006FEA0000-0x000000007128B000-memory.dmp

Filesize
19.9MB

Download
memory/236-12941-0x000000006FEA0000-0x000000007128B000-memory.dmp

Filesize
19.9MB

Download
memory/236-13616-0x000000006FEA0000-0x000000007128B000-memory.dmp

Filesize
19.9MB

Download
memory/236-13615-0x000000006FEA0000-0x000000007128B000-memory.dmp

Filesize
19.9MB

Download
memory/236-13605-0x000000006FEA0000-0x000000007128B000-memory.dmp

Filesize
19.9MB

Download
memory/1136-31-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1136-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2064-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2064-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2064-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2064-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2172-12632-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2324-32-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2324-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2324-37-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2324-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download