f1b27ee139e88001e5932fda0abf9f305b780da2c8b22536efc107dbfb17e523

Analysis

max time kernel
600s
max time network
603s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

astra - 1.0.1.exe
Size

1.8MB
MD5

a2541b3b3964846cc10d5e6d6b47596d
SHA1

db5307fb900cdcaaf61dda25171a635c4c17822b
SHA256

f1b27ee139e88001e5932fda0abf9f305b780da2c8b22536efc107dbfb17e523
SHA512

e305f78cc6f25c60f18f0fd84336d247ea329e01d8288ba791d74adb375291614e2f8db9e3e74363a419e06f2ebbf1e209d61329a4c1df69afea0bb79a036378
SSDEEP

49152:mciCu12nlG36D4HHQ2VMeEHBefw9feg8:s93CAQq4UYs

Score

9^/10

steam discovery evasion persistence phishing

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

astra - 1.0.1.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions astra - 1.0.1.exe
Downloads MZ/PE file
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

astra - 1.0.1.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools astra - 1.0.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	astra - 1.0.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	astra - 1.0.1.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

astra - 1.0.1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	astra - 1.0.1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	astra - 1.0.1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

steamwebhelper.exesteamwebhelper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	steamwebhelper.exe

Executes dropped EXE 16 IoCs

Processes:

SteamSetup.exesteamservice.exesteam.exesteam.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exegldriverquery64.exegldriverquery.exesteamwebhelper.exesteamwebhelper.exevulkandriverquery64.exevulkandriverquery.exesteamwebhelper.exesteamwebhelper.exe

pid	process
872	SteamSetup.exe
4656	steamservice.exe
6028	steam.exe
3948	steam.exe
10400	steamwebhelper.exe
10440	steamwebhelper.exe
10068	steamwebhelper.exe
10120	steamwebhelper.exe
9928	gldriverquery64.exe
11388	gldriverquery.exe
18288	steamwebhelper.exe
11508	steamwebhelper.exe
11856	vulkandriverquery64.exe
12192	vulkandriverquery.exe
13704	steamwebhelper.exe
14064	steamwebhelper.exe

Loads dropped DLL 56 IoCs

Processes:

SteamSetup.exesteam.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exesteamwebhelper.exe

pid	process
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
10400	steamwebhelper.exe
10400	steamwebhelper.exe
10400	steamwebhelper.exe
10400	steamwebhelper.exe
10440	steamwebhelper.exe
10440	steamwebhelper.exe
10440	steamwebhelper.exe
3948	steam.exe
10068	steamwebhelper.exe
10068	steamwebhelper.exe
10068	steamwebhelper.exe
10068	steamwebhelper.exe
10068	steamwebhelper.exe
10068	steamwebhelper.exe
3948	steam.exe
10068	steamwebhelper.exe
10120	steamwebhelper.exe
10120	steamwebhelper.exe
10120	steamwebhelper.exe
3948	steam.exe
18288	steamwebhelper.exe
18288	steamwebhelper.exe
18288	steamwebhelper.exe
11508	steamwebhelper.exe
11508	steamwebhelper.exe
11508	steamwebhelper.exe
11508	steamwebhelper.exe
13704	steamwebhelper.exe
13704	steamwebhelper.exe
13704	steamwebhelper.exe
14064	steamwebhelper.exe
14064	steamwebhelper.exe
14064	steamwebhelper.exe
14064	steamwebhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SteamSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

astra - 1.0.1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	astra - 1.0.1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	astra - 1.0.1.exe

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Program Files directory 64 IoCs

Processes:

steam.exeSteamSetup.exe

description	ioc	process
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_l3_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\steampops_italian-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_l1_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_trackpad_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_rtrackpad_ring_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_r1_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps_color_outlined_button_circle_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\clienttexture8.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sd_button_view.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\OverlayTaskbar.res_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\SteamOverlayVulkanLayer.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\xbox_rt_soft.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps4_trackpad_ring.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt	SteamSetup.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_mouse_5_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\joyconpair_left_sr_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_r_swipe.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_lb.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sd_r1_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\sc_lt_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\shared_gyro_pitch_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\api-ms-win-core-string-l1-1-0.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\btnStdRight.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\vgui_spanish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\switchpro_rstick.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0110.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_110_social_0060.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\joyconpair_right_sl_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps4_trackpad_l_left_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\ps5_button_create.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_touchpad_swipe_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\shared_dpad_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0080.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_060_vehicle_0010.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0405.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_030_inv_0313.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\siteserverui\images\steam_spinner.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_touchpad_click_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\light\ps5_trackpad_l_right_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\bin\cef\cef.win7x64\api-ms-win-core-sysinfo-l1-1-0.dll_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\btnOvrOnTop.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamui_finnish.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps5_trackpad_r_left_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_button_l_arrow.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\sc_rt_soft_md.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\SteamFossilizeVulkanLayer.json_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_meterOn.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\vrwarning_dialog.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sc_button_r_arrow.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\xbox_lb_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\knockout\ps4_trackpad_sm.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\filter_profanity_hungarian.txt.gz_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_expand.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\platform_german.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\vgui_korean.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\sd_ltrackpad_click_lg.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\images\api\dark\shared_color_button_b.svg_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_090_media_0020.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\btnDefTopLeft.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\icon_clear_field.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\xbox_360_english.txt_	steam.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

steamservice.exesteam.exesteam.exegldriverquery.exevulkandriverquery.exeSteamSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gldriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vulkandriverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

steamwebhelper.exefirefox.exefirefox.exefirefox.exesteam.exesteam.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steamwebhelper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steamwebhelper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133745330655440846"	chrome.exe

Modifies registry class 42 IoCs

Processes:

steamservice.exetaskmgr.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steam\Shell\Open	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steam\URL Protocol	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steam\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steam	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

steam.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	steam.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

14600 NOTEPAD.EXE
14736 NOTEPAD.EXE

pid	process
14600	NOTEPAD.EXE
14736	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

astra - 1.0.1.exechrome.exeSteamSetup.exechrome.exetaskmgr.exesteam.exe

pid	process
2584	astra - 1.0.1.exe
2584	astra - 1.0.1.exe
2584	astra - 1.0.1.exe
2584	astra - 1.0.1.exe
4432	chrome.exe
4432	chrome.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
872	SteamSetup.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
1488	chrome.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
3948	steam.exe
3948	steam.exe
9076	taskmgr.exe
3948	steam.exe
3948	steam.exe
9076	taskmgr.exe
9076	taskmgr.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
3948	steam.exe
9076	taskmgr.exe
9076	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

steam.exetaskmgr.exe

pid process

3948 steam.exe
9076 taskmgr.exe

pid	process
3948	steam.exe
9076	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid	process
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

astra - 1.0.1.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2584	astra - 1.0.1.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe
Token: SeCreatePagefilePrivilege	4432	chrome.exe
Token: SeShutdownPrivilege	4432	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exefirefox.exetaskmgr.exe

pid	process
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
4432	chrome.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exefirefox.exetaskmgr.exe

pid	process
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
4432	chrome.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
1936	firefox.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe
9076	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

firefox.exesteam.exe

pid process

1936 firefox.exe
3948 steam.exe

pid	process
1936	firefox.exe
3948	steam.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4432 wrote to memory of 812	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 812	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1372	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 224	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 224	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe
PID 4432 wrote to memory of 1664	4432	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\astra - 1.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\astra - 1.0.1.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8f34dcc40,0x7ff8f34dcc4c,0x7ff8f34dcc58
2⤵
PID:812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2000,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:2
2⤵
PID:1372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3
2⤵
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2460 /prefetch:8
2⤵
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3308,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:1
2⤵
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4028 /prefetch:8
2⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4652,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
2⤵
PID:3780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4996,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
2⤵
PID:640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:8
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4560,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:1
2⤵
PID:64

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3176,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3280,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5496,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5508 /prefetch:8
2⤵
PID:3496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5480,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5644 /prefetch:8
2⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5796,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5808 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3260,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5492 /prefetch:8
2⤵
PID:1316

C:\Users\Admin\Downloads\SteamSetup.exe
"C:\Users\Admin\Downloads\SteamSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:872

C:\Program Files (x86)\Steam\bin\steamservice.exe
"C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5232,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5844,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:1200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5740,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5768 /prefetch:1
2⤵
PID:12308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5816,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5644 /prefetch:8
2⤵
PID:12368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5568,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4364 /prefetch:8
2⤵
PID:12380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5604,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6084 /prefetch:1
2⤵
PID:12560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5520,i,18416370002680650355,16974992605459480770,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5748 /prefetch:1
2⤵
PID:12644

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30304f31-29f9-4e06-9ce6-be74eb2296fc} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" gpu
3⤵
PID:2316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af17b44c-833b-41db-b69c-aa1f032e34a8} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" socket
3⤵
- Checks processor information in registry
PID:1200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3588 -childID 1 -isForBrowser -prefsHandle 1604 -prefMapHandle 2808 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d385679c-3815-414b-bcaa-d96eee12bcd0} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab
3⤵
PID:5176

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3792 -childID 2 -isForBrowser -prefsHandle 3784 -prefMapHandle 3780 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f77cbcb-80cf-435f-847c-893de687f3e0} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab
3⤵
PID:5352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4724 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f3cd491-2d89-480e-b380-3c2831a65516} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" utility
3⤵
- Checks processor information in registry
PID:5984

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -childID 3 -isForBrowser -prefsHandle 3316 -prefMapHandle 5184 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64fc310b-fcdc-45db-af1b-1420b7fb3cac} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab
3⤵
PID:5828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 4 -isForBrowser -prefsHandle 5236 -prefMapHandle 5052 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {788dfbc6-b54f-4053-b112-01301230ca8b} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab
3⤵
PID:5836

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 944 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2d3fb5a-9122-4251-9e60-1b1c38cf850a} 1936 "\\.\pipe\gecko-crash-server-pipe.1936" tab
3⤵
PID:5864

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:6028

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=3948" "-buildid=1726604483" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:10400

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1726604483 --initial-client-data=0x36c,0x370,0x374,0x348,0x378,0x7ff8dd64ee38,0x7ff8dd64ee48,0x7ff8dd64ee58
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:10440

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1608 --field-trial-handle=1736,i,9629655289978894037,6469533131880490826,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:10068

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2204 --field-trial-handle=1736,i,9629655289978894037,6469533131880490826,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:10120

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2556 --field-trial-handle=1736,i,9629655289978894037,6469533131880490826,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:18288

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --first-renderer-process --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1736,i,9629655289978894037,6469533131880490826,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:11508

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2728 --field-trial-handle=1736,i,9629655289978894037,6469533131880490826,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:13704

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=2444 --field-trial-handle=1736,i,9629655289978894037,6469533131880490826,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:14064

C:\Program Files (x86)\Steam\bin\gldriverquery64.exe
.\bin\gldriverquery64.exe
3⤵
- Executes dropped EXE
PID:9928

C:\Program Files (x86)\Steam\bin\gldriverquery.exe
.\bin\gldriverquery.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:11388

C:\Program Files (x86)\Steam\bin\vulkandriverquery64.exe
.\bin\vulkandriverquery64.exe
3⤵
- Executes dropped EXE
PID:11856

C:\Program Files (x86)\Steam\bin\vulkandriverquery.exe
.\bin\vulkandriverquery.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:12192

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:9076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:8500

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x40c
1⤵
PID:10008

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\msedge_installer.log
1⤵
- Opens file in notepad (likely ransom note)
PID:14600

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092319_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log
1⤵
PID:14632

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
1⤵
- Opens file in notepad (likely ransom note)
PID:14736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\bin\SteamService.exe

Filesize
2.5MB

MD5
ba0ea9249da4ab8f62432617489ae5a6

SHA1
d8873c5dcb6e128c39cf0c423b502821343659a7

SHA256
ce177dc8cf42513ff819c7b8597c7be290f9e98632a34ecd868dc76003421f0d

SHA512
52958d55b03e1ddc69afc2f1a02f7813199e4b3bf114514c438ab4d10d5ca83b865ba6090550951c0a43b666c6728304009572212444a27a3f5184663f4b0b8b

Download Submit
C:\Program Files (x86)\Steam\logs\bootstrap_log.txt

Filesize
9KB

MD5
5ea227237e9658100d812842aeb7250d

SHA1
debceb20d10335226b45a6409a63ae8a0d000a47

SHA256
1c38ab6d49a0b22b733f87bc5024006e8658af53b620594ffdc78d297149c6c8

SHA512
840c27f40589e2a1605af81f218498d28191fada7724ee20908224767e6fc4e1fe8591baf1727ed22b6d140c627fe362e213a4bed0e7cb7d03d3ca4e68a9a86b

Download Submit
C:\Program Files (x86)\Steam\package\steam_client_win32.manifest

Filesize
8KB

MD5
02b5961bd0e56bc64b88ddcf903fc42a

SHA1
6b38e72dfc69a1df2eabfbff33d8c8ba41fcf6b2

SHA256
bd6016432b150c897af0e8ea6a7ae8df353b67a5e6293359b79dde002cabd8e0

SHA512
1539f90f4822b34ec8a841e8482144625738173e2eef5ef33bac75cd4666a20a449b7009ddc4fa04cd53197a2e6cd35075bea65f8583d9eea36813bd964807cd

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_brazilian.txt

Filesize
4KB

MD5
0340d1a0bbdb8f3017d2326f4e351e0a

SHA1
90d078e9f732794db5b0ffeb781a1f2ed2966139

SHA256
0fcd7ae491b467858f2a8745c5ecdd55451399778c2119517ee686d1f264b544

SHA512
9d23e020875ed35825169a6542512ec2ffdb349472a12eb1e59ddc635e57c8fd65fa919873821e35c755aa7d027c9a62d3d0fa617340449d7b2c4cf8dd707e93

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_bulgarian.txt

Filesize
6KB

MD5
4c81277a127e3d65fb5065f518ffe9c2

SHA1
253264b9b56e5bac0714d5be6cade09ae74c2a3a

SHA256
76a6bd74194efd819d33802decdfddaae893069d7000e44944dda05022cfa6d9

SHA512
be077b61f3b6d56a1f4d24957deaf18d2dff699bda6569604aac4f1edb57c3cfd0abc5e2a67809f72e31a90b4aed0813536c153886da2099376964c60e56001a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_czech.txt

Filesize
4KB

MD5
2158881817b9163bf0fd4724d549aed4

SHA1
c500f2e8f47a11129114ee4f19524aee8fecc502

SHA256
650a265dffdc5dc50200bb82d56f416a3a423eecc08c962cfd1ba2d40a1ff3f7

SHA512
f3594aad9d6c50254f690c903f078a5b7a58c33bd418abdad711ebb74cfbdb5564679593e08fb2d4378faaf4160d45e3d276ba1aa8a174ed77a5791bcac46f28

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_danish.txt

Filesize
4KB

MD5
03b664bd98485425c21cdf83bc358703

SHA1
0a31dcfeb1957e0b00b87c2305400d004a9a5bdb

SHA256
fdf7b42b3b027a12e1b79cb10ab9e6e34c668b04eb9e8a907d8611ba46473115

SHA512
4a8cdd4b98432ba9d9b36bc64aab9a2eab31a074d1cbdfab3d35a14216c60752b5580c41bbb70104993420043685d3bd47eb6637b8fcbb3f42f76a15e4be041d

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_dutch.txt

Filesize
4KB

MD5
31a29061e51e245f74bb26d103c666ad

SHA1
271e26240db3ba0dcffc10866ccfcfa1c33cf1cc

SHA256
56c8a86fa95eab0d8f34f498e079b5516b96d2a2f1ad9c2a888555e50e47f192

SHA512
f85865c1e9ab45e5586d3dd2b45d15265193e8a3c34b6bb1ac7e415a1ea878cfb044e8e01012e917e4f00bb9e0a422f56253f328df1bac99a145e19433354cf8

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_english.txt

Filesize
4KB

MD5
da6cd2483ad8a21e8356e63d036df55b

SHA1
0e808a400facec559e6fbab960a7bdfaab4c6b04

SHA256
ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

SHA512
06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_finnish.txt

Filesize
4KB

MD5
9e62fc923c65bfc3f40aaf6ec4fd1010

SHA1
8f76faff18bd64696683c2a7a04d16aac1ef7e61

SHA256
8ff0f3cbdf28102ff037b9cda90590e4b66e1e654b90f9aea2cd5364494d02b7

SHA512
c8ff15373b37e848e6239a82424569e77c82a5fc557d17e7d2ed1d0d2b2f7d026cc1e2bc98cb5ee945c02cfefb82803c23fa6a26f48ff0adcf762f94cd5dd035

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_french.txt

Filesize
4KB

MD5
10c429eb58b4274af6b6ef08f376d46c

SHA1
af1e049ddb9f875c609b0f9a38651fc1867b50d3

SHA256
a1f6ba57ee41e009d904905c0ce5e75a59ee6790e08542561303109e1faafa13

SHA512
d8760f61760bffd8671b727d386ae220e7e6e68829a01553cfd5eb60ef8bd1d7c1b25e7b17a6db5bd17ba6712ef44999726764459318e784843c73bc4facaf46

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_german.txt

Filesize
4KB

MD5
5c026fd6072a7c5cf31c75818cddedec

SHA1
341aa1df1d034e6f0a7dff88d37c9f11a716cae6

SHA256
0828572e4fa00c186dbf1d9072a6154d65cb499c6a37e338f3305f77a2fee382

SHA512
f9d28714b2a05f8d9025f1692e4d7e8baa6daf6176353f65646a38814a242ef2adededa44419edd69f10cf96ffba506dab7cb6e52111457bf69cffef12174b12

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_greek.txt

Filesize
6KB

MD5
189ba063d1481528cbd6e0c4afc3abaa

SHA1
40bdd169fcc59928c69eea74fd7e057096b33092

SHA256
c0a7a1df442ac080668762df795c72aa322e9d415c41bd0a4c676a4dc0551695

SHA512
ce59ad9b17bab4de1254e92ce4fe7d8c8242832f62ab382e8f54199a9932cd11b5800cc33895441426373d5210cc74104e0271b721a7e26ed400b716ae4d5903

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_hungarian.txt

Filesize
4KB

MD5
18aaaf5ffcdd21b1b34291e812d83063

SHA1
aa9c7ae8d51e947582db493f0fd1d9941880429f

SHA256
1f45bb7bdfa01424f9237eec60eba35dc7f0dc4e8c2e193fe768fe96d3ff76d5

SHA512
4f3e56d1abe26b56d3f805dc85baaca450c0c7bec57ebcf8a6bb6ebb8588307dad130c83bf792bac76694909a14fd6a4d7d1e9b31e32fba11256343b9fc18154

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_indonesian.txt

Filesize
4KB

MD5
1514d082b672b372cdfb8dd85c3437f1

SHA1
336a01192edb76ae6501d6974b3b6f0c05ea223a

SHA256
3b3c5c615fd82070cc951ab482d3de8cb12df0b3df59fbd11f9d3271fa2fbca4

SHA512
4d41c945ce7c94746875b0dbceb14811d4966de4e97fe047406a304162fde7e1e2a16367fc2e43978e2e5aa66749f036b4444aa2312673c2cc3af296e8b77f55

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_italian.txt

Filesize
4KB

MD5
8958371646901eac40807eeb2f346382

SHA1
55fb07b48a3e354f7556d7edb75144635a850903

SHA256
b01ec64d75fd1fbd00fbeb45a3fb39244911a8b22bb43de4e0c03f205184f585

SHA512
14c5dbb017822336f22bf6779ccd4a66604ddc5f2c3caa24271e96f739fef007754d96844efa422d6682cbcd2d3bc902c36f0f6acb3eb87ed8d7b3f885973554

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_japanese.txt

Filesize
5KB

MD5
7e1d15fc9ba66a868c5c6cb1c2822f83

SHA1
bfe9a25fdc8721d7b76cecb9527a9ba7823dc3d7

SHA256
fc74e26a8baabbe4851109512d85173b75dbf7293d41eb3b92a1957a773c8265

SHA512
0892be14a858cc860766afb1c996b2c355108a7e50971ea3ec00d15069e919a6eb05a61fa839bea3938492c391e274144c5e248f4c204a602bf36adf27e5b406

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_koreana.txt

Filesize
4KB

MD5
202b825d0ef72096b82db255c4e747fa

SHA1
3a3265e5bbaa1d1b774195a3858f29cea75c9e75

SHA256
3d1399f5323a3ece1b1a8b3b31f8fd7f50c3bd319ab3f1c38c6e347452c95314

SHA512
e8fc7cc09f431301d22a07b238179ee053505090e3c4db30ead061513fe7159f1fe8b80efc93f4597fe00f01087bbe0bb2231e13693d72c8def138657cb91566

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_latam.txt

Filesize
4KB

MD5
7913f3f33839e3af9e10455df69866c2

SHA1
15fa957d0a6a2717027f5b35f4dbe5e0ab8ece25

SHA256
05bc1f4973c6d36002ac1b37ce46b1f941fcb4338282e0ec1ec83fb558d1a88c

SHA512
534e541757d19ee157a268bf7ea358b48015f400542fcfa49cdb547cd652926160f015fe2cf026d9c4996e56ab90ca3899dfd457997d915bf6bc9d7bb00ba804

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_norwegian.txt

Filesize
4KB

MD5
58e0fcbee3cca4ef61b97928cfe89535

SHA1
1297e3af3ca9e4fe3cc5db78ebbfa642e8a2c57b

SHA256
c084a68b65d507eb831831aa2ab9afb9536cb99a840d248cc155ff87fad18425

SHA512
99aff0c481e34cd0e4fcbb2af471afb56d91aa11be664462b08e17ae169ca03ef77e7063b4ecd0f38ca7b2f6dc0bf2e316c7b31dffbbcfc763cd8fae27dc78d2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_polish.txt

Filesize
4KB

MD5
9b0b0e82f753cc115d87c7199885ad1b

SHA1
5743a4ab58684c1f154f84895d87f000b4e98021

SHA256
0bdeee9fa28d54d384e06ea646fbcfe3f06698a31dfdc1a50703ffe83ad78d32

SHA512
b7780b82fbe705bc8e5a527c011eb685c99ef0b2eb810617b9f82b891341af95ef1c2f46dce9e458c0c4dcc3e7a0d21db6c77f03419cd1c4b521a9b72f9017df

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_portuguese.txt

Filesize
4KB

MD5
eb8926608c5933f05a3f0090e551b15d

SHA1
a1012904d440c0e74dad336eac8793ac110f78f8

SHA256
2ed2b0d654d60e0a82b0968a91d568b775144e9d92f2b077b6da75f85ad12d04

SHA512
9113c42c38836f71ff0cc7019aff8c873845f47fbf1ab97e981cb038f4d8495b6df784402b1ee9666e8e567ae866b0284c81e6a16efb47131d5ef88569c4843a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_romanian.txt

Filesize
4KB

MD5
6367f43ea3780c4ee166454f5936b1a8

SHA1
027a2c24c8320458c49cd78053f586cb4d94ee6f

SHA256
f8d1972e75a320344e3c834ba0a3a6a86edb39e20ef706bda9b7965d440d1998

SHA512
31aab33e0d272cb43a8c160b3d37256716a683e5052192fd0e4d3cdaf30a10a9afa9d26d5d14ad216ee455627c32892a711d2bc137ee7a7df9a297f001a19e32

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_russian.txt

Filesize
6KB

MD5
e04ad6c236b6c61fc53e2cb57ced87e8

SHA1
e9d4846b7e6cc755ee14a5d3fa45ee7d3bf425a4

SHA256
08c775efa77c2a92d369f794882e467b6e2526e61bc7aa7724f48e174524502e

SHA512
0dfb7e6d811d649103499018f3d115c542fcaba420ceb69124a4d837fe162ce514e7be2040860c5ef5f9c01c961fa6eea8730606b73ec107d87597989b6fd331

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_schinese.txt

Filesize
4KB

MD5
56dcf7b68f70826262a6ffaffe6b1c49

SHA1
12e4272ba0e4eabc610670cdc6941f942da1eb6a

SHA256
948cad1bb27109e008f2457248880c759d3fa98b92c5b4033b94f455cb8ac43f

SHA512
c3fd9caf0bd4c303a7cc300faada9cfe6dd752e82d67625b31f4c0c2c091596508bb477fe19f758fdf79b25b8ac3f5320a8785d2b6705b9bcc28a054a59454e2

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_spanish.txt

Filesize
4KB

MD5
66456d2b1085446a9f2dbd9e4632754b

SHA1
8da6248b57e5c2970d853b8d21373772a34b1c28

SHA256
c4f821a4903c4e7faea2931c7fb1cf261eba06a9840c78fdca689f5c784c06c4

SHA512
196c2282ba13715709ece706c9219fe70c05dd295840082e7d901b9e5592e74b1bb556782181cdbe35bd1ab0d6197fef67258b09491fabc6f27606dbed667d49

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_swedish.txt

Filesize
4KB

MD5
b2248784049e1af0c690be2af13a4ef3

SHA1
aec7461fa46b7f6d00ff308aa9d19c39b934c595

SHA256
4bf6b25bf5b18e13b04db6ed2e5ed635eb844fc52baa892f530194d9471f5690

SHA512
f5cee6bba20a4d05473971f7f87a36990e88a44b2855c7655b77f48f223219978d91bcd02d320c7e6c2ec368234e1d0201be85b5626ef4909e047e416e1a066c

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_tchinese.txt

Filesize
4KB

MD5
194a73f900a3283da4caa6c09fefcb08

SHA1
a7a8005ca77b9f5d9791cb66fcdf6579763b2abb

SHA256
5e4f2de5ee98d5d76f5d76fb925417d6668fba08e89f7240f923f3378e3e66f6

SHA512
25842535c165d48f4cf4fa7fd06818ec5585cc3719eff933f5776a842713d7adb5667c3b9b1a122a1152450e797535fc7a8e97ebdd31c14b4d4900a33ede01f3

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_thai.txt

Filesize
7KB

MD5
53f7e8ac1affb04bf132c2ca818eb01e

SHA1
bffc3e111761e4dc514c6398a07ffce8555697f6

SHA256
488294b7faff720dc3ab5a72e0607761484c678b96d6bcd6aad9ee2388356a83

SHA512
c2e79c2505a6fd075df113ffce92ad42c146424ca39087601daa4ed15a2b5528d478a093921d9d8a738c7b6b963275a0693ebe526b6e2135d14ced03639d0e70

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_turkish.txt

Filesize
4KB

MD5
29f9a5ab4adfae371bf980b82de2cb57

SHA1
6f7ef52a09b99868dd7230f513630ffe473eddf8

SHA256
711675edb20b3cb70acf6cf75f2eea8e0d87c8ace3e11c8df362b4517427a34f

SHA512
543fe63f791250e05e8fda24fd2ceadebb4c8925e8927de49ae490895c87eed3e61a9ad50237532649f99fe3165836261de215ee3f66ffbfc6d677ddeea7732a

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_ukrainian.txt

Filesize
6KB

MD5
cadd7a2f359b22580bdd6281ea23744d

SHA1
e82e790a7561d0908aee8e3b1af97823e147f88b

SHA256
3dd0edfbe68236e668fb308f92fe7c6493dbb05bfca85a48de93588f479ccc99

SHA512
53672dd13e6ccbe96f6d4a61297c595b6d6cba8de92caa51ccf8ab1d8a82eea5a425eab348f295b9ec27de0026ef849d9230f751a46e040be8863923f91b8519

Download Submit
C:\Program Files (x86)\Steam\public\steambootstrapper_vietnamese.txt

Filesize
4KB

MD5
f350c8747d77777f456037184af9212c

SHA1
753d8c260b852a299df76c4f215b0d2215f6a723

SHA256
15b6a564e05857a3d2fd6eec85a5a30c491a7553d15ffc025156b3665b919185

SHA512
efb86809a0b357b4fcd3ba2770c97d225d0f4d9fb7430c515e847c3dd77ee109def4bef11b650b9773c17050e618008fc03377638c1db3393ac780b5b0bc31b2

Download Submit
C:\Program Files (x86)\Steam\steam.exe

Filesize
4.2MB

MD5
b52c89b709394038e3ab592831dd5e35

SHA1
e32eded6e6d6f4c846a25119dda83afb751898c1

SHA256
7d0ca9b7dee8c4b3d0ea55d5dd60ab7343bfafb4019d8b33578ede69d6f6ad92

SHA512
288bb968dd7f96f463801da6a11904cc140ebc97f62d72185682549901bfe43863cf4203435d3221e72de1975ad1edb4bfc154fa48f40a45ef0e126c8aec9ac9

Download Submit
C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping10400_2045114852\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Program Files\chrome_ComponentUnpacker_BeginUnzipping10400_2045114852\manifest.json

Filesize
1003B

MD5
32ef54fcac37d3d390c05880067559d6

SHA1
ab44258473c7c1a920596ccc33463a765e5fe60f

SHA256
d97f5e50808d1ef75bb241df2dde8f7293b9bfcd498dc525e258c97b39564211

SHA512
3bcdd94edb8b0df2d1684ef865f9711bf544c4c4f6adde927611b648dab2776e398e3b29681369a80e8c7ebfb9cd100ba8469ea69c5034ec023c796d8cbfefa0

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\8f0ee434a6d3c2f7\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8c7e25d586657839cb1059416148b93f

SHA1
08695cf25d625f451209b34fb1e1dcf0eb02a187

SHA256
915609f4db27ccac416420aeb34f4fffa129a0947af3497e886efc57d6f9b11a

SHA512
db350f7c6892f82e09a6a4dfe0ca42b4c74ca2925389a9b24bbc42f91c8231175490f9e6d2a7800eae9f3599175e13a6197fe5daf7e2b17695d14f679a6174ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e41dfe995be386204b1a01b60b81940e

SHA1
a891577932d96766882303f1a45f84e15abcac6c

SHA256
79f592848d9833235dffa579fef531cfe438c24228ca70e2f31f5607ee376cbc

SHA512
00e0eaa8562334b1f2fa172007f4e5fed3a2d3e33b3979d519ad7aca61fa092211c595584129e0c9345d04337534e613f73f792eb3ba6bda4f592597b4e3474c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1be81e0b9cde4869707a92cb21cc0dba

SHA1
b82b19db7e75ee43c674f67b398676759dd47e86

SHA256
03e5c96ae29f6d13fbe563907376922367a01885a064b88187d3883e8802377f

SHA512
884970d31d2f0d6084a9779a7b2cb319c90d1f3478fe663bdbf04fcfe9c390f702c9032ac4094777cf518b887c91ead5ce2cc5a7518a58b850d0e7d7f3f4a8c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
d5587f0096133887a700ef221e49fab7

SHA1
39bd930849334e645dea90ed9845ea2955895b65

SHA256
0f7c2363c8b518ef43038cc0eab01e71dd4e5d3dd1b836da9a4d100348abc402

SHA512
f0cc7513b53aeb8caa0e79c25ae6efa78be9188743377db3b7498ae849cdd7bd945b35344f263cc5f07bb79036ae368c570363e5053fa39ac35be9c7a17ee286

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
1ffc857d9b31b6b902ac7e951e861b8d

SHA1
2cb5946af31adab427b761bb3c4947eb198062cf

SHA256
fe120b07595cd282a194da6ed7ca4c322c95af71fa77c7b203d1f22a95968bbb

SHA512
830b01a5fb720ddaf2352f4de0274b25a3fbc9a6332bd4900f9a963594f2ff589cba9fd976fdc635d2a364ad7f68b5d968b5ebff88f7d10612375cb69a33fe1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a69e9d1585e50ca3631688fafb1987cf

SHA1
e6b7cb0085d2e1e889bb2fe719cc76ba96b48a1e

SHA256
97c11ffad242e81c447a4bb1d2c770f399201adfbef5a339d748107fa19965f2

SHA512
129f516411d74b87d0e32a9dc4ad48506066ce633281e23e323d7edba651146fca2aec62df42963e1ba347a9bbbadf1b41c81e0371f2770d929cae8ca1080cf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7731f51a59501da1f53f7a498ca7da23

SHA1
bd03ed1e71e40eb395c4d36e9b6d12f5527a66c6

SHA256
6dea1c1347edf82912e2bbfda299ad709396f589f72a836dda51c9dce129a773

SHA512
72f7a5cd12616577e23a7d2c7cdd4f53f834890f2ebeb44397b163d2188a9b34ca1f133fb35261e42996ef35fc37b34ddf7d483884a3442ae7755208d91a2dfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8292cde46ce439fc0bb8459e80839429

SHA1
f4fa5faad4b487e00df2b4ffdbb8be0def6e3b6b

SHA256
6e029b8387080a0a93b2c9619652f1b881d05be7508de7eb96ed879aa9bc759f

SHA512
6b5946c7dfd892eb52a87896627548c05e0aaa64df86e0cbe283c10eb2d57072b866ae135e6d6a55850a5ebdf3ce4cf39a83dc7fe958a9d805d9ed3bd9c49bce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
371dc6e8716ec93ab690a4ae51427150

SHA1
2df920e95bd204f19cf4450da3de7395291bc0dd

SHA256
7d618dd3dc3566b6b3110612a8d06b45a5a2ebcaf2733d39495ef7e529ca773c

SHA512
4d62b065604cbacccc7abb180e8183fe5a7c6e0cf831d1917e5e98d81c6f85dbe9bd9f013ea4f030b41d2fff99f1b6b54f85408a217ffec4d27bc51023c023d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
46dc060692f41776d8afec777dda1e80

SHA1
7ae11c019eded88e7836e8328f018ebb1bcb6e2b

SHA256
dd442fb54cf896113af6ca5fd5d99560bb0ec45bafbb5b61e44bac09855222d9

SHA512
76cc287a80c124e8b435ff1645f5bdd37d1b643793c5586ce2009111fd297ac7be9989dac17c8bc6cc5192f6b3523f8c28493f9aaa4a2e51f3dff615d6276e22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ca135ad26c87c09c67a29e892073cc93

SHA1
ef065813621b90de60ff7bcefa240c770da58cae

SHA256
09fae3e4f73bfaee06edb78e7f63f116a0c4dac71be08e9d00b0f8156f9ceda8

SHA512
a803804a4252492e00b6fe56aabb176963cf01237ea78b184f2daabdad10c3d2906fc125f51da0ec5dc91e78354b3e1be9311a363de033265cdfe10311b6e711

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
39a964802734245e0c6cf59cce6b7db5

SHA1
80b0d771260b5b90f2ba51d14e5641a6a6a56ab3

SHA256
36903de9bfd18147fc1d6dc00cd6fba61e4e4d180967aae81ec586e266c9202d

SHA512
e41d1eec995f3a066c04952fc4ff9bbcd6bc10a678f16eec7367bcd2222c19e84ab19475dc4a148abb77ef842e453fb998bf18c9fad4e89fddd0e16153e9014d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fdfa866289748e4685cfde9ff011aae5

SHA1
12ec45e268ca6f13b0610f0c21810d632f6ef53a

SHA256
b18eb5c0d59d313a26419ee9d588910306ba4d64da859b50f1fefa8a8e52bab9

SHA512
023f86b47a5ca29fb39a5756e08b488d30b329e1dcbcd31da369bba6511829fe0914c7ba63fc7573aaacc2c0acc968084af2bf287e80e162872b10fe51399155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
19dbab81378d8f46f3acb4692dd28197

SHA1
3fd2d97464472d7c83fc01602b1056bd61ebc955

SHA256
d936469e40cfd65c0e60921ac58242d4adfa30435de1ea931198a6cd53f9e731

SHA512
0292863d4addc0ed000b87722c3522fbd1763d3ebff1cfcf6c3dadffc1fb54fe0315c1c6818d74624033cb52b4c39422f3a114857af672288243524c2bb504b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4944b6c9484a3eab7520d875276d78f5

SHA1
8e25aa0ceec49de3e8fc78ae7217963a73137919

SHA256
be22b0d8a33200d4e75d2ae04ba747cb13b9aca709e7f4db3244d897bf36b260

SHA512
29eadf9502411f429019514ebc2fe4e9165434e564682abcda9d7d25def2aa0c82f78518c3feb646c80f6f7a4d8dcef50c7fa28a218195704b497e6783035d7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
85c0b87f58f170072f218c94b491e7f5

SHA1
d8a5afd224612652727f61da041ce5819a220a8a

SHA256
aee1736da3a0f97213acb9db64f76d6196282f0fefd3f448e2e75559d3f94c14

SHA512
62bdee19bdd98f8ddaae4cc7f35caa5bcda3dca32c6d6b13d0030ecb505a1100057b2bdff0e333c0034ff244bd5e038dc1a86d0b03f71ca5e3ecc4fc467f5991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1995bdf1cb4a2f6b7fb85400cce5e5c9

SHA1
f1c562366d52cd90e24798bb45cfa4a27b5951e9

SHA256
dd98150d2986e4bd72c2a55001d361d5a96868f376b6d0298690ab8b8def34d2

SHA512
72b51a5fe0b700a209696c73eb2ad5f9d434c2f919c93aaed657b23b6de0fe6bf1e71dd5629f65b413855600e09851133dedae8ceb1598bb66ca56f8e15c3b39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c5ff8c4cc84f6f18ca788c2c93833ad8

SHA1
29201123287bf707e3d0e9cc6bd91de522f953c7

SHA256
27803a8da1f799b038df609e6445688a0350c5ef8848ef7f60fc2c646aa6a6c3

SHA512
84d31d16796f4c6c31b7ef811e6981e5d6b976129687ef6abaa0202a623f0cb7d42cacce5cd3cd080fd32ef37a6d52379f3007feaed58a8c1bc125d95ab99fb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c27a197bbb7294c38cd2912e61faafc

SHA1
3ea8ad69f4bf7903fde4763df1abbd15d27837bf

SHA256
64d6bad250e4d116624b1f1796db4d0bc44693e838e69f338e1850d02e151408

SHA512
b9f54ac572240188a2a66599e935ef841fb3c7c5b8015c7015a7e1afe9a49ae187e7681fa7150a94cd15ec265e1776e3df310bb496eb7af62f8807bf11d375e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3c78623755208dcb62bb91290e8fae2d

SHA1
c8178d9f948f77a1f45869ebb4e4ca5d781cc4e7

SHA256
ab5fa3355123984b08da038efa28897428ceca6bbf4d9de94f7cbe3235d6dc12

SHA512
043e8afd9ceff2e6cdde1b771cef151433609aa2a474ff7e426434aa795897cfeb882f2014dc9ce04e863c956e6e4a20dd400eaf06c5a7a4ec2371bcfbc6d8c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f00ffa47880802a94f66b407e3289fa7

SHA1
c50611067607be141800a46e85ed4f7b8e238604

SHA256
4f998217d0b8e17b3cbf906a1c03a32d013cd640c2b7aa536e3b3b080bcb16df

SHA512
8c620df5fbd25e354409ed0ec80e3218fb6965df1537c5598b11fe34e5280c17a60714453019f0c73285b3b44ca12281faf4d6e22fe0109dbc38c2ce667d5139

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ffed579e529f0ae76d1d1069d440c95d

SHA1
29ff3fe7a39f93d2aaf1c99be5580722986e8994

SHA256
f8acb00e527a029797dc94c3ce87ccf44e90e23f9dd1046a59458ff456471377

SHA512
9feda84c5e4a62e0a13f3d7651edf3ed16253f1378933b9ecdcc99b77d473a192d731e8d964d0bedb83a33ed0de8b378069288f0ffc0d9c4bb83fabe96b86c6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b2a85edac86a09efc5d42b4c35252b1b

SHA1
1e97990c29bf3fb9c22b11a9d3779532afb7d463

SHA256
606c6092b71d7ca04179033e379e8394b78460e8554e597730a5c28ba869f023

SHA512
dc650b1736b3c6df1ff8c96bf67dc39fae91aa0d9e92b7d5a2cbe78f74a006f0e0c4815e53c4c5f28851dc6d89c28fb3caa9e5f1adfbc2aba26dfd418fdbfd36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
99eafedba6d7288f754ac18212bd1049

SHA1
85bfc1347c978b7c9507a150a0ca4a26be9fec88

SHA256
cf9d563d5de4ea4832bbe7502a36818a0b7e8316c9d6cd4a7484a6cfcf2aafc6

SHA512
ab498f00cd2ca41b98c05f9c08d45f5c574f6d3bfdf4a0bdac94f118926928e81a932961a97ca99841c073619a9e66e64cff16a09a11fc73a31d4daa193eb3a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d2b1e4117c8d3f2f931d4a420907569d

SHA1
a096be9e522bd168a42af26fd3d9476e640c7d05

SHA256
3bc7bfb356a29ac314f6783554005a428b32de2012960f8fc9a7b59753e8a443

SHA512
41de1b797d0def6f502941a06c6f2520e5a8755515fd05d9ab4cf787658d2ecb8306ed9cd0ea35124412adec55e7cc1c851d783dd9b87ff0714d388d6978917f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1d688c6a1ab539489379d107df9736ad

SHA1
6c540b3619e042e394941413fd85fbeaba223e8d

SHA256
0fd00cb0d95d33eabe731a5c139c3ef8c8358dd3614bbefd11f436123b4743b5

SHA512
7b44c16f9cd883628e81cbca6fb4cd2b2f227551f37e464aa95cf3c104009835fe27a61b885832c7562215b879c5ff45d3d80b654057eb2fc6387863a4e9679c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
99b66ca8ecb6a06587d02618b920e8e1

SHA1
f8f6db1745388bb9120d0635b156757f6acf6f66

SHA256
3de844806314d96488a0bb4935e78276b2c467b9623eb73861097643286c0f2f

SHA512
1f9a6144cd4b77c846a2ee2312f2f34aaa8b5cc2b0c37031000d06531d8125bd8238f3baeb098529bea828036c614eeb290235bb51ceae8cc0e5553f05b6cba7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
76f5357babfc145e1dbf9ffe9b3baf07

SHA1
2ccfe5ab478d591f9102eefbbf7e94410ff20dd9

SHA256
f6999ca4defe655be96bc3335b652f95170086faf077283515af01696b349403

SHA512
66a4b3a1c79abffad8ff320dc27e1b78b7fedcc6745ff17f12e1714d2cbab5d62d536765f9258b88f114d3f690fabd2c01724e65f51242deb0210faf03891eaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dc3704e194facf2a981558ed5c46e477

SHA1
4c4a1129ce577ae4bc44e6f6a0c229dee7ad7e65

SHA256
068616f8e968a424315b396c98d10267fbe5acae2b99f42a0c890e07faa67f42

SHA512
620ce9969685536054b3308df84011c53e1d9b6afb260fda60d425931897748d2f7800e492dfae1cdd11ecb99c27f15041bec8d792748c92a023971c44de3768

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9a372e0e6b268c09e6215256f074e181

SHA1
99e8e4c941db70571a02240cd1bb72025422ce43

SHA256
28dae0722700a8cc27e53bb7f543fd775c6590e69f02ca12a4f8550d5f910530

SHA512
755e508af131bdae17275c7722b06d6c2663b729f445d9850bb9409ba974a9c2dc29ac731f77bf7feae7d120044f6b298c1be26f7b031e57610f36d34348b3f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4fedcb949c47c900667d48d22e29db77

SHA1
6c44bafc25da745542f0f415c40c108d6cc775e0

SHA256
6a32b2422c50dcdd3d61ff77d7eefdf25d3e07f585bf1cc5a32011030f2fae12

SHA512
54e62546b42e70b47603269f013bca7333b34253def255e90315809f5d6a4f13462a6d23dde7152f4f6e10dcbfd48149926c8265e883b6cd5591701bc3ca0274

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6241f82015076e5dd10ffcb04b76bb2e

SHA1
0906e54136c7ef191513827f2856e8d8a43df913

SHA256
ae7352ff43744edeace35179651b1aef24136b17e8f0f50a06f03db57df98a83

SHA512
01e1aaf83286b88c22d1bb557ba84a7ab8cfa42669383759a65da7ef0a54a18084e35a8eabc46a2bec70d8a668eaf6e84c84c291cfd4aee68484ac07cd60f960

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
227e60547c7977efd09b44be95b62ef5

SHA1
086eb46250e28c49cc9b0ecc8376b60862b871db

SHA256
c6e92f7f7e3033216dda14f61322c73d5cb936cbcca9ab2eb74ec9720311da16

SHA512
73873ade423f0d2f2c5de9ba9fbbcd1605a7a0a285d7563f61c25571307b5638f45f20287e115a246f94652fb317f5d24e0688c5cf0d888222bc94fe124ddd09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f5166399dbc7bdb3589d938f58d7c62a

SHA1
6c89af97930951113f3ec33b2d9ae414bbd5cc3d

SHA256
23478adc4229f51fff219a41952abd2bbc1d6972228ab2315c2cf539aacba2ff

SHA512
e1315f8be89f9b0ae4a337fd0a42eff7f15d545653dc303ca4fd72ab9b1957cc9bce65b5fa64f7d89445337e4b8789baaad8e9230e707af2d836f611d6c994a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d443cdafd8ec0e2d4d78bedc58e5062b

SHA1
7a114c6c1333f718368ddf608bdcc865ca0b48d8

SHA256
ef0be2622f80b73373576d8ab5f8fda2f2b9aed2ec799d09131d8689242dc862

SHA512
7eb35b73ffbe5753a5fc8cd9e7358923bd3f563ab6adea35010c1b837cdee08e3cb38db29ce401ab4b184ecbc3dd160a7dd6ec2077fb2148b76f7a3c71d25ea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2c3bd378c5170f9dd309469eb75c3780

SHA1
a2de3a386ca0707f3840486dfa8dda5df7746483

SHA256
62344183bd0ee739acd66860951ae5746b0744a049f80ece542288a9dcb56368

SHA512
9286029db01f1d1979e899b8d14940b819731f4aca1658c9d3c043125fe0edcf71661be0f9d2c09c9e826e4573ede17b28e7f374f3a0cd366ab10075d730e19b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
20dc8ad2572cab055383f5f46ffe136d

SHA1
f78f43d28452643d9dcf53c7013b61a1f87a0701

SHA256
9293a17b894536d31c61464bffa945454bdad2d628d36ada0981c7484fa75a45

SHA512
73dc76b342f8e22441b8ed803ea2cded8f3e4fcb08a6c67a262af2abefc245e17c1a45a4dc137d5a3338b8b987c36c948196ea43345ba0e00d1257e5b036686e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8e9ad3470c143bbdda14291517148630

SHA1
1a7b2a8d0ed3a6b9c13d5f1921bdc7a7718284bd

SHA256
c74676210c7e98a2396daa800050af60c808edd9f137ed5833f2036a0109698d

SHA512
d35fa704a2104cf9e3d4b6972018e4c862c6d1f5fc7ffe95263b71b4bdd7b384fb123818ea895cf44cdf79351fb9e6607d7531f3cf1a0ad785a51fb86e7cfe91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
771b9b426390dfdd42b360c8bc54114b

SHA1
10bc3af777e5b97f58eade78ada8bd32b0568019

SHA256
ee2fdb59ee19025326b10f4100649fb8e6835b858cc5958386b76f01367f33e9

SHA512
c80313ebe7df33af098e243110a7a571e0540f13c0eb7c517d9f9c2700b0ac8ab4b1e0d61d836527194110a817384bdfb1300cf1aa059df3b6a8fe6dee114bb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
7df0cd3a31de8f6a5efa66781d1396e1

SHA1
8adf4ac9a52081557ffbbb032fad3fd0005768ff

SHA256
dce88e3d3177f3853a665c4dc92798e6199bb3d124cfb468fe22b338be67d647

SHA512
26f54e03084499f1f033da39522f1affba768fd5e224d0d3b30a513701e42dd7c35ce8fe9b88c2e7e0556eb7d1f42f64d59a8b53e73601f2c7b0722d82fa4c36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
eb6d3d43d9da1743df4b91972593e998

SHA1
c321ce53b85adeb708cf3285639b6cb240d5c5e4

SHA256
45d4efaa9108c7aaa6a1661887ff6215a79a9ac0e6b8cbf2727102d8aab0dde2

SHA512
d5553c7a197aa759e9d90ae5961f27502b2cf6c763d24188733d2ead65a0aeb46b514c821c3adf54f7cd61c49a8a40b64479f96162f4e2e5305c10752fa00926

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json

Filesize
28KB

MD5
154ea355d71987cca80b7e74c7ad7729

SHA1
bdfbf23c86b21e500076eac6e0decbeb96084ad4

SHA256
c3b400a276408d01c35326c9bc101b245a1df58cf769839bd8a59ce1c1106e99

SHA512
d04396031698b2abe3414ce7640219e6f4890719bfca63484b8b3c4a599bfe0d3a3aba438b8d98c3a97478791f77ec246575853236e139717a1b515c672b0593

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
42493eb0b3daec34f80c76e0b059fd31

SHA1
a26e2ba2abb10186fd17d75ec95c0bab4089bc39

SHA256
8bca8a5b7bc60a72cd4fc542400d198fbd74c9da70dbbaf9bf1912b135a50edc

SHA512
3265e1a297e619c6730674fd756959798b1c7313f33a557b332a2c0b8b0316cce9a2ae77e5ce80e3de81e6d747aabd1c023e51a28620084b14072417970426aa

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index~RFe5e081c.TMP

Filesize
48B

MD5
ae907c98cf017e6e9bfefe233ddeb20e

SHA1
5ac63f797b8b9e7a50eef90f05f0e37653464c72

SHA256
81a4488a3077ff38d30ebf5ae8e0197ba02ffcd0d1ef830a475a94e08da919b2

SHA512
946c9a3bd2fa2b7dee7e9ad53d99e9431ef6ff24d851c76a8c77d8a4c1b246da15b43051704b77c445da0462323377dba10686cdaeb653db0e5e1f761a535354

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
795B

MD5
ea6fcdb71ede1820dca72865a9784332

SHA1
d6fa61bbdabbf91fddbf35981ea63e60277572ee

SHA256
e3a09d6922402413293b0405627ce69deb04f1313a06afbda8401302629704a5

SHA512
168bf3aa6612ad72b570faf877f517e49693897f88906522ff4d99c317cc61320accef774de0f69905b32ee4739cd9bba812264333b8ff1a3d088282a226da2e

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

Filesize
700B

MD5
fda6e9ecc79483c7cdb5b7ffbfb1bcf3

SHA1
58d04ae02e7872d26c3e5faca7f60c01bc374fb4

SHA256
d1606dec9c68304b347e9a94ee2be5035dd04c22903a5895c52b3d15584bbad9

SHA512
8ca33a8d2dca36d91fbf9c555aac724d2dc5fb8c19fb9ad3912cce2fd6314ea8cab11871dd918d68510edd6c2e2919ab01f97122cf9fff73db59ed03293bab51

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json~RFe5eb237.TMP

Filesize
484B

MD5
ca5398824371b8f3e43ee3c91f2b61ca

SHA1
29a52e213abe6cf509768e2882a1fbed694495b6

SHA256
4144375aaff4aedd8bfa3862955edba8131a4e58cd55ea94834aaa8374290b26

SHA512
36e00ce540a0a2c05fe854d76e8488947384b07bb7347666483705098225d42aece99741039e02e80d86d0dbb3e7c03b3486abd65dcf33b0690f57d6af46cf7f

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

Filesize
300B

MD5
f5603860dfafca043c4ef108dbbc6d02

SHA1
d27116ea0476eb407edcfc0194c867ad765d3b7c

SHA256
3116cb8fc85cf1f178c2915eafbbc7a142fb2b292455a252ba4cd9a0d446f437

SHA512
6a4c94ffbd8a91e86d14b1a9875d51f2315afb8dd8a0ecf0c6e84e497499a75acb9f77da60d292d662a37c8253a582d10debe91f2c52d63ab3c83602acd3030d

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe5ec6e8.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq96FA.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq96FA.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq96FA.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq96FA.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq96FA.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq96FA.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f3838f7d642c3a806f791911171f5784

SHA1
27f40560534e4370f9774bf7198643d8371793d6

SHA256
6c7f4149847447eb9d2f58f14b019432448fa25ae2ad316789f1908a97c5cef3

SHA512
fd513a0cbda3e5499f4ae4c720636e82135aa960c27e62dfc07e776afd03cb8afa5ce51ec90a7699906be95e3b1623f3b3d2ea23d86faa93bed766c0891bdc0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\151dbc18-936e-45cd-b813-b14bb7ce764e

Filesize
24KB

MD5
b2e71a81c16e49845ffdd76d38c7e002

SHA1
b9955a4893bb5e57a14d082dc3679ecc1089444b

SHA256
986fbedd7c84256649d0db8aedf795056ce878b462f5c6988d5db6355aeb2410

SHA512
d8e70190718e4a4367f70e4f26a581a9c93c35ad04662572ab75c91e9a610ce78ca1026ab1180c36ba5244b31fcd2c0ba9fb0e807a3cd446033839efa45290a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\5e707c00-9b77-4676-b016-edb1ecd8f148

Filesize
982B

MD5
71a492f0912074fa41eb7a5889fcf368

SHA1
ed7ce56aed1c942a475306f627b1a526e0b5106c

SHA256
e23ab9b3443fdb9125e799e001ea125814dd3a2b46e7a73124886f8e6b9a15a5

SHA512
1ee58995c566e6595fa4250254318f36e03bde6d7faa0cbb7aa9c685eb55e65e923f620a9790095424e3c80a0d4087cf12d713f1593935fb6c35bf3dd93a22bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\95f1d854-2153-484f-b2b6-3575e9531d67

Filesize
671B

MD5
f52121ce754ee12da5acc8a6569faca9

SHA1
9e6e63ea7a1f384e980e203537b21e55d68222fd

SHA256
12842c0b514205e7ae8d8a55ac4598683c03ea9e85168651dab289520daee89f

SHA512
e31665946e517f87ff0610d6bdb43b9e7317674632dc2d0de05f119a4e5fd41694499eb108dbc6e7b3889b34db974dea2f0cc57c39ce9e8e2e5481c7bbdc1671

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js

Filesize
11KB

MD5
09e37369fad277f7e38a61625eefb69b

SHA1
082b307705abb8fd1e3703bf02cc85a3b7016164

SHA256
b4fcc6edb3823b4ed9480ce44f47a19021ec697f0f9c26a60d9845eb23d11173

SHA512
5516e12dd15b8589b69b32a848c1d161707177877579a356649276739d9cb1541e22765d1443c7cfb581ab27df80c474aca5452416ce2e1b9271a35c27f6078e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js

Filesize
10KB

MD5
36a0768a195602f6a51ac2505d1b5031

SHA1
408cb5a39b7f49ad66712dc9aae12e394cf2d3d4

SHA256
0ebda7f15405d22ebd2397e1cbce8c4d9f65fc71f6ae1388d69356b7f42d8e83

SHA512
f3246b34c22c8be6e8a493626cfbb4acc2dbc17bf7e0107f02945aaf2a190a03243da7f7eeb45682290c5f118d1927920a09cfefeda335bf80c33ba4bfc74994

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 778925.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
\??\pipe\crashpad_4432_WWQUUSQTDLXOCTKJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2584-2-0x00000152AE220000-0x00000152AE352000-memory.dmp

Filesize
1.2MB

Download
memory/2584-6-0x00007FF8E41C0000-0x00007FF8E4C81000-memory.dmp

Filesize
10.8MB

Download
memory/2584-0-0x00007FF8E41C3000-0x00007FF8E41C5000-memory.dmp

Filesize
8KB

Download
memory/2584-1-0x0000015293B30000-0x0000015293D10000-memory.dmp

Filesize
1.9MB

Download
memory/2584-11-0x00007FF8E41C0000-0x00007FF8E4C81000-memory.dmp

Filesize
10.8MB

Download
memory/2584-10-0x00007FF8E41C0000-0x00007FF8E4C81000-memory.dmp

Filesize
10.8MB

Download
memory/2584-3-0x00007FF8E41C0000-0x00007FF8E4C81000-memory.dmp

Filesize
10.8MB

Download
memory/2584-4-0x0000015294250000-0x0000015294262000-memory.dmp

Filesize
72KB

Download
memory/2584-12-0x00007FF8E41C0000-0x00007FF8E4C81000-memory.dmp

Filesize
10.8MB

Download
memory/2584-13-0x00007FF8E41C0000-0x00007FF8E4C81000-memory.dmp

Filesize
10.8MB

Download
memory/2584-8-0x00000152B1550000-0x00000152B158C000-memory.dmp

Filesize
240KB

Download
memory/2584-9-0x00007FF8E41C3000-0x00007FF8E41C5000-memory.dmp

Filesize
8KB

Download
memory/2584-14-0x00007FF8E41C0000-0x00007FF8E4C81000-memory.dmp

Filesize
10.8MB

Download
memory/2584-7-0x00007FF8E41C0000-0x00007FF8E4C81000-memory.dmp

Filesize
10.8MB

Download
memory/2584-5-0x00000152AE3C0000-0x00000152AE796000-memory.dmp

Filesize
3.8MB

Download
memory/3948-13554-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13699-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13506-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13535-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13723-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13722-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13712-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13702-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13334-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13487-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13428-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13418-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13621-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13390-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13631-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13689-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13641-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13679-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/3948-13660-0x000000006FC90000-0x000000007107B000-memory.dmp

Filesize
19.9MB

Download
memory/6028-13260-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/6028-13267-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/9076-8929-0x0000021F6A3E0000-0x0000021F6A3E1000-memory.dmp

Filesize
4KB

Download
memory/9076-8924-0x0000021F6A3E0000-0x0000021F6A3E1000-memory.dmp

Filesize
4KB

Download
memory/9076-8904-0x0000021F6A3E0000-0x0000021F6A3E1000-memory.dmp

Filesize
4KB

Download
memory/9076-8906-0x0000021F6A3E0000-0x0000021F6A3E1000-memory.dmp

Filesize
4KB

Download
memory/9076-8905-0x0000021F6A3E0000-0x0000021F6A3E1000-memory.dmp

Filesize
4KB

Download
memory/9076-8925-0x0000021F6A3E0000-0x0000021F6A3E1000-memory.dmp

Filesize
4KB

Download
memory/9076-8921-0x0000021F6A3E0000-0x0000021F6A3E1000-memory.dmp

Filesize
4KB

Download
memory/9076-8927-0x0000021F6A3E0000-0x0000021F6A3E1000-memory.dmp

Filesize
4KB

Download
memory/9076-8928-0x0000021F6A3E0000-0x0000021F6A3E1000-memory.dmp

Filesize
4KB

Download
memory/9076-8923-0x0000021F6A3E0000-0x0000021F6A3E1000-memory.dmp

Filesize
4KB

Download
memory/18288-13292-0x00007FF902260000-0x00007FF902261000-memory.dmp

Filesize
4KB

Download
memory/18288-13291-0x00007FF902250000-0x00007FF902251000-memory.dmp

Filesize
4KB

Download