793a6b5980872bc0c16c53ee550f860b90e8955fbbf2f0bd15734e05e9b4c3b8

Resubmissions

29-10-2024 07:28

241029-jawmysxfmk 6

29-10-2024 07:21

241029-h6xz8avnek 6

Analysis

max time kernel
165s
max time network
395s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Koalageddon-2.0.1.msi
Size

46.4MB
MD5

155295f8dbaae190dd34adadecfb302e
SHA1

c720229eb480dadd40649a2447b3e618a83d568c
SHA256

793a6b5980872bc0c16c53ee550f860b90e8955fbbf2f0bd15734e05e9b4c3b8
SHA512

cd6d4405bf387faa538426a2cfefdecd4c7f3a649f4cfce1eab85cea22a345f304525d222a48785528b7e19f83b76a536a1895e3f32ea8153d93ddae29850dd7
SSDEEP

786432:EdQiEpqgLHk81Ywf/9gK7rhd8cHcSQAw8Luh1CKGSsKN4PgGagUiNaLFRB3p/n4U:GXEvE81vCjSE8yhAc1TgUiNaLFRdlx0e

Score

6^/10

steam discovery persistence phishing privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SteamSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -silent"	SteamSetup.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

112 raw.githubusercontent.com
114 raw.githubusercontent.com
122 raw.githubusercontent.com

flow	ioc
112	raw.githubusercontent.com
114	raw.githubusercontent.com
122	raw.githubusercontent.com

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Koalageddon.exeKoalageddon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	Koalageddon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	Koalageddon.exe

Detected potential entity reuse from brand STEAM.
phishing steam
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

steam.exemsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0344.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_060_vehicle_0040.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_070_setting_0301.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\tabStdTop.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\controller_base\localization\xbox_360_brazilian.txt_	steam.exe
File created	C:\Program Files\Koalageddon\app\asn-one-0.4.0-d3153e6fec8296ebfbc8936fdcef775b.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.base\cldr.md	msiexec.exe
File created	C:\Program Files (x86)\Steam\package\strings_en_all.zip.a1d7ed1cbfa3d83fe07a903083b74d814867e6a8	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0300.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steam\cached\game_details_header_mask.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_brazilian.txt_	steam.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.desktop\colorimaging.md	msiexec.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0404.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_050_menu_0020.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\bump_paper_w.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0190.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0350.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\voice_ringing.wav_	steam.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-datetime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\prefs.dll	msiexec.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_010_wpn_0407.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_045_move_0030.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\clientui\vr\icon_steam_vr.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\scrRight.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_sc_schinese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\icon_chatFailed.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\support_flag_left.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_reload_over.tga_	steam.exe
File created	C:\Program Files\Koalageddon\Koalageddon.ico	msiexec.exe
File created	C:\Program Files\Koalageddon\app\ktor-http-cio-jvm-2.2.3-619ea76ad4acc6f8eb952895cb7d3839.jar	msiexec.exe
File created	C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_040_act_0050.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\steamui_italian-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\icon_microphone_off.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_close_hover.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\genesis_z.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_090_media_0140.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\broadcast\icon_mic_disabled.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\trackerui_czech.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_hungarian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_040_act_0316.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\rampUp_2.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\c11.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steamui_brazilian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\friends_icon.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steam_updating.tga_	steam.exe
File created	C:\Program Files\Koalageddon\runtime\legal\java.xml\LICENSE	msiexec.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\localization\steampops_japanese-json.js_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\icon_expand_over_osx.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\c20.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\icon_steamvr_desktop.png_	steam.exe
File created	C:\Program Files\Koalageddon\runtime\bin\ucrtbase.dll	msiexec.exe
File created	C:\Program Files (x86)\Steam\package\steam_client_metrics.bin	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_060_vehicle_0040.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_080_input_0050.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\friends\icon_microphone.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\tabSquareBottomLeft.tga_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\tenfoot\resource\images\library\controller\binding_icons\ghost_040_act_0307.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\public\steambootstrapper_ukrainian.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\resource\overlay_schinese.txt_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_010_wpn_0130.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\steamui\images\controller\ghost_035_magic_0315.png_	steam.exe
File created	C:\Program Files (x86)\Steam\package\tmp\graphics\mnuSepRight.tga_	steam.exe

Drops file in Windows directory 15 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\Installer\f77057e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81D.tmp	msiexec.exe
File created	C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\icon_1862387937	msiexec.exe
File created	C:\Windows\Installer\f770580.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f77057d.msi	msiexec.exe
File created	C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\JpARPPRODUCTICON	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\icon_1862387937	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f77057d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI628.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\JpARPPRODUCTICON	msiexec.exe
File opened for modification	C:\Windows\Installer\f77057e.ipi	msiexec.exe

Executes dropped EXE 7 IoCs

Processes:

Koalageddon.exeKoalageddon.exeSteamSetup.exesteamservice.exesteam.exeKoalageddon.exeKoalageddon.exe

pid process

1620 Koalageddon.exe
2320 Koalageddon.exe
2836 SteamSetup.exe
3020 steamservice.exe
2344 steam.exe
2816 Koalageddon.exe
2796 Koalageddon.exe

pid	process
1620	Koalageddon.exe
2320	Koalageddon.exe
2836	SteamSetup.exe
3020	steamservice.exe
2344	steam.exe
2816	Koalageddon.exe
2796	Koalageddon.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exemsiexec.exeKoalageddon.exeSteamSetup.exeKoalageddon.exe

pid	process
1696	MsiExec.exe
1336	MsiExec.exe
2108	MsiExec.exe
2564	msiexec.exe
2564	msiexec.exe
1204
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2320	Koalageddon.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

2568 msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exeMsiExec.exeSteamSetup.exesteam.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SteamSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

steam.exeKoalageddon.exeKoalageddon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	steam.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Koalageddon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Koalageddon.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Koalageddon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	Koalageddon.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	steam.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exesteamservice.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steam	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steamlink\Shell	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\ProductName = "Koalageddon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\550FE40B7A8BE324E8F68353EA49C3E4\0F00B17C060556634A44B1FF3DF15A7F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Media	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\PackageCode = "EFEAD4423A6F1324DB76D9F43705B59D"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\ProductIcon = "C:\\Windows\\Installer\\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\\JpARPPRODUCTICON"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steam\Shell\Open\Command	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F00B17C060556634A44B1FF3DF15A7F\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steamlink\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steamlink\ = "URL:steamlink protocol"	steamservice.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steam\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Steam\\steam.exe\" -- \"%1\""	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steamlink\DefaultIcon\ = "steam.exe"	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\550FE40B7A8BE324E8F68353EA49C3E4	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\DefaultIcon	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	steamservice.exe
Key created	\Registry\User\S-1-5-21-2039016743-699959520-214465309-1000_Classes\steam	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steamlink\Shell\Open\Command	steamservice.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Version = "33554433"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steamlink	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steamlink\Shell\Open	steamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\PackageName = "Koalageddon-2.0.1.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steam\DefaultIcon	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steam\ = "URL:steam protocol"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steam\DefaultIcon\ = "steam.exe"	steamservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F00B17C060556634A44B1FF3DF15A7F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steam\ = "URL:steam protocol"	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steam\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\Shell\Open\Command	steamservice.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_CLASSES\steam\Shell	steamservice.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\URL Protocol	steamservice.exe
Key created	\REGISTRY\MACHINE\Software\Classes\steamlink\DefaultIcon	steamservice.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exechrome.exeSteamSetup.exeKoalageddon.exe

pid	process
2564	msiexec.exe
2564	msiexec.exe
2196	chrome.exe
2196	chrome.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2836	SteamSetup.exe
2196	chrome.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2568	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2564	msiexec.exe
Token: SeTakeOwnershipPrivilege	2564	msiexec.exe
Token: SeSecurityPrivilege	2564	msiexec.exe
Token: SeCreateTokenPrivilege	2568	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2568	msiexec.exe
Token: SeLockMemoryPrivilege	2568	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2568	msiexec.exe
Token: SeMachineAccountPrivilege	2568	msiexec.exe
Token: SeTcbPrivilege	2568	msiexec.exe
Token: SeSecurityPrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeLoadDriverPrivilege	2568	msiexec.exe
Token: SeSystemProfilePrivilege	2568	msiexec.exe
Token: SeSystemtimePrivilege	2568	msiexec.exe
Token: SeProfSingleProcessPrivilege	2568	msiexec.exe
Token: SeIncBasePriorityPrivilege	2568	msiexec.exe
Token: SeCreatePagefilePrivilege	2568	msiexec.exe
Token: SeCreatePermanentPrivilege	2568	msiexec.exe
Token: SeBackupPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeShutdownPrivilege	2568	msiexec.exe
Token: SeDebugPrivilege	2568	msiexec.exe
Token: SeAuditPrivilege	2568	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2568	msiexec.exe
Token: SeChangeNotifyPrivilege	2568	msiexec.exe
Token: SeRemoteShutdownPrivilege	2568	msiexec.exe
Token: SeUndockPrivilege	2568	msiexec.exe
Token: SeSyncAgentPrivilege	2568	msiexec.exe
Token: SeEnableDelegationPrivilege	2568	msiexec.exe
Token: SeManageVolumePrivilege	2568	msiexec.exe
Token: SeImpersonatePrivilege	2568	msiexec.exe
Token: SeCreateGlobalPrivilege	2568	msiexec.exe
Token: SeCreateTokenPrivilege	2568	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2568	msiexec.exe
Token: SeLockMemoryPrivilege	2568	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2568	msiexec.exe
Token: SeMachineAccountPrivilege	2568	msiexec.exe
Token: SeTcbPrivilege	2568	msiexec.exe
Token: SeSecurityPrivilege	2568	msiexec.exe
Token: SeTakeOwnershipPrivilege	2568	msiexec.exe
Token: SeLoadDriverPrivilege	2568	msiexec.exe
Token: SeSystemProfilePrivilege	2568	msiexec.exe
Token: SeSystemtimePrivilege	2568	msiexec.exe
Token: SeProfSingleProcessPrivilege	2568	msiexec.exe
Token: SeIncBasePriorityPrivilege	2568	msiexec.exe
Token: SeCreatePagefilePrivilege	2568	msiexec.exe
Token: SeCreatePermanentPrivilege	2568	msiexec.exe
Token: SeBackupPrivilege	2568	msiexec.exe
Token: SeRestorePrivilege	2568	msiexec.exe
Token: SeShutdownPrivilege	2568	msiexec.exe
Token: SeDebugPrivilege	2568	msiexec.exe
Token: SeAuditPrivilege	2568	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2568	msiexec.exe
Token: SeChangeNotifyPrivilege	2568	msiexec.exe
Token: SeRemoteShutdownPrivilege	2568	msiexec.exe
Token: SeUndockPrivilege	2568	msiexec.exe
Token: SeSyncAgentPrivilege	2568	msiexec.exe
Token: SeEnableDelegationPrivilege	2568	msiexec.exe
Token: SeManageVolumePrivilege	2568	msiexec.exe
Token: SeImpersonatePrivilege	2568	msiexec.exe
Token: SeCreateGlobalPrivilege	2568	msiexec.exe
Token: SeCreateTokenPrivilege	2568	msiexec.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

msiexec.exechrome.exe

pid	process
2568	msiexec.exe
2568	msiexec.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe
2196	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Koalageddon.exeKoalageddon.exe

pid process

2320 Koalageddon.exe
2320 Koalageddon.exe
2796 Koalageddon.exe
2796 Koalageddon.exe

pid	process
2320	Koalageddon.exe
2320	Koalageddon.exe
2796	Koalageddon.exe
2796	Koalageddon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeKoalageddon.exechrome.exe

description	pid	process	target process
PID 2564 wrote to memory of 1696	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 1696	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 1696	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 1696	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 1696	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 1696	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 1696	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 1336	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 1336	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 1336	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 1336	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 1336	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 2108	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 2108	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 2108	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 2108	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 2108	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 2108	2564	msiexec.exe	MsiExec.exe
PID 2564 wrote to memory of 2108	2564	msiexec.exe	MsiExec.exe
PID 1620 wrote to memory of 2320	1620	Koalageddon.exe	Koalageddon.exe
PID 1620 wrote to memory of 2320	1620	Koalageddon.exe	Koalageddon.exe
PID 1620 wrote to memory of 2320	1620	Koalageddon.exe	Koalageddon.exe
PID 2196 wrote to memory of 2400	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 2400	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 2400	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe
PID 2196 wrote to memory of 664	2196	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Koalageddon-2.0.1.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2568

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 33DFFCC2520E29A77D2217F4D08EA4F1 C
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1696

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 43FCF871C659D04DD481B608F5AD61DC C
2⤵
- Loads dropped DLL
PID:1336

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B1D0571543CE25DD6AB305004F8300AD
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2776

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E8" "00000000000003D4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2632

C:\Program Files\Koalageddon\Koalageddon.exe
"C:\Program Files\Koalageddon\Koalageddon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620

C:\Program Files\Koalageddon\Koalageddon.exe
"C:\Program Files\Koalageddon\Koalageddon.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5079758,0x7fef5079768,0x7fef5079778
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1224 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:2
2⤵
PID:664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1592 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1676 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:1944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2328 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:1
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:1
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1536 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:2
2⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3292 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:1
2⤵
PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3544 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3660 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:1040

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fdd7688,0x13fdd7698,0x13fdd76a8
3⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3940 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:1
2⤵
PID:1632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4080 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:1
2⤵
PID:620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2884 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1672 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4196 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4256 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4260 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1788 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2772 --field-trial-handle=1428,i,5439501453116606531,4811870278701695327,131072 /prefetch:8
2⤵
PID:2716

C:\Users\Admin\Downloads\SteamSetup.exe
"C:\Users\Admin\Downloads\SteamSetup.exe"
2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2836

C:\Program Files (x86)\Steam\bin\steamservice.exe
"C:\Program Files (x86)\Steam\bin\steamservice.exe" /Install
3⤵
- Executes dropped EXE
- Modifies registry class
PID:3020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2336

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
PID:968

C:\Program Files (x86)\Steam\steam.exe
"C:\Program Files (x86)\Steam\steam.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2344

C:\Program Files\Koalageddon\Koalageddon.exe
"C:\Program Files\Koalageddon\Koalageddon.exe"
1⤵
- Executes dropped EXE
PID:2816

C:\Program Files\Koalageddon\Koalageddon.exe
"C:\Program Files\Koalageddon\Koalageddon.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Program Files (x86)\Steam\Steam.exe
"C:\Program Files (x86)\Steam\Steam.exe"
1⤵
PID:2200

C:\Program Files (x86)\Steam\Steam.exe
"C:\Program Files (x86)\Steam\Steam.exe"
2⤵
PID:5108

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=5108" "-buildid=1726604483" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\Steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
3⤵
PID:2076

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1726604483 --initial-client-data=0x228,0x22c,0x230,0x1f8,0x234,0x7fef14eee38,0x7fef14eee48,0x7fef14eee58
4⤵
PID:2600

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1172 --field-trial-handle=1196,i,12428068944452160819,12457641574020183699,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
PID:2836

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1420 --field-trial-handle=1196,i,12428068944452160819,12457641574020183699,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
PID:3148

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1488 --field-trial-handle=1196,i,12428068944452160819,12457641574020183699,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
4⤵
PID:3880

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1676 --field-trial-handle=1196,i,12428068944452160819,12457641574020183699,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
PID:3844

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1660 --field-trial-handle=1196,i,12428068944452160819,12457641574020183699,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
PID:3712

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=5108" "-buildid=1726604483" "-steamid=0" "-logdir=C:\Program Files (x86)\Steam\logs" "-uimode=7" "-startcount=1" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Program Files (x86)\Steam\clientui" "-steampath=C:\Program Files (x86)\Steam\Steam.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write --disablehighdpi "--force-device-scale-factor=1" "--device-scale-factor=1" "--log-file=C:\Program Files (x86)\Steam\logs\cef_log.txt" --disable-quick-menu "--enable-features=PlatformHEVCDecoderSupport" "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
3⤵
PID:3560

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files (x86)\Steam\dumps" "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1726604483 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x234,0x7fef27aee38,0x7fef27aee48,0x7fef27aee58
4⤵
PID:4036

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1160 --field-trial-handle=1208,i,18166990016458893634,16918197855014024930,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
PID:2468

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1188 --field-trial-handle=1208,i,18166990016458893634,16918197855014024930,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
PID:4132

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1616 --field-trial-handle=1208,i,18166990016458893634,16918197855014024930,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
4⤵
PID:4904

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1612 --field-trial-handle=1208,i,18166990016458893634,16918197855014024930,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
PID:764

C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe
"C:\Program Files (x86)\Steam\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --force-device-scale-factor=1 --disablehighdpi --buildid=1726604483 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files (x86)\Steam\logs\cef_log.txt" --mojo-platform-channel-handle=1228 --field-trial-handle=1208,i,18166990016458893634,16918197855014024930,131072 --enable-features=PlatformHEVCDecoderSupport --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
4⤵
PID:4428

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77057f.rbs

Filesize
56KB

MD5
d0da95527416760660829a65e360454c

SHA1
4aedf540951985c08dc1c6d2629b992612e60c90

SHA256
fc5d0ff3d01e50595918675172bbe77461ea40ee4dccf2b34d92e8485ce92dbe

SHA512
4174fecf6d03603438d984b1eddf588dad767c07400a82e779afb770297ad930ec7b4a75865e4a83b8354e7585a06437174bf6e3957c6884e32941ff9cd06103

Download Submit
C:\Program Files (x86)\Steam\Steam.exe

Filesize
4.2MB

MD5
33bcb1c8975a4063a134a72803e0ca16

SHA1
ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

SHA256
12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

SHA512
13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

Download Submit
C:\Program Files (x86)\Steam\package\steam_client_win32

Filesize
8KB

MD5
02b5961bd0e56bc64b88ddcf903fc42a

SHA1
6b38e72dfc69a1df2eabfbff33d8c8ba41fcf6b2

SHA256
bd6016432b150c897af0e8ea6a7ae8df353b67a5e6293359b79dde002cabd8e0

SHA512
1539f90f4822b34ec8a841e8482144625738173e2eef5ef33bac75cd4666a20a449b7009ddc4fa04cd53197a2e6cd35075bea65f8583d9eea36813bd964807cd

Download Submit
C:\Program Files (x86)\Steam\package\tmp\clientui\images\8669e97b288da32670e77181618c3dfb.png_

Filesize
1.5MB

MD5
220d457252003a47bd6c120b059c2a92

SHA1
35f68a1017339b27c98a64d87540d7adcd241ad1

SHA256
4d1f5f98d7e42ba4338d0388fb386344d5c374a47d45fde1ef5b3606080f5e8f

SHA512
7768d3c36cc77be7088a1ff5529e6cde2ccc1b0715c8f3dfbf7447685414e7982aa0202e85fb913eaae8be4ec70d3a8c5d09953e7f3ce524b97ba8d266f91d5c

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\btnOvrOffBottom.tga_

Filesize
444B

MD5
89cb2bc5ccdab01b0653d4dbb3d6a062

SHA1
afb947fffd5f5f3723e0c8c3b52cb8cbff406ee9

SHA256
ecd13153d9d438809a38de30f3abbb0f6f92837a7e3cacb442a9a9309bcd78d9

SHA512
e5bef83bfad930e2b68720e00d450aa879619dcabcf8d96f9f8c47636a95a9662bc91b04cfa9160081d8af79a1257b75647d89677123f28b8c609808d5b86653

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
6KB

MD5
5a5715177822e69c98aab578421ae78f

SHA1
175ea27d6ef6df27fae93a724c94b2c770f78205

SHA256
5afc5816946e0d7b6d57a99a60be71d9e88670d9a63c18e249c9266d8e95cd2f

SHA512
b11d05dff7f9ce55c2b30de82709f5aa9b410734e1b88a6879e3489394a5b36a27389022de0a741a16f70d0639439d4f75942c3fd604567d63b9ec229d86b331

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\cloud_localfiles.tga_

Filesize
14KB

MD5
c4e538289a4c12da96cec77e7a3e36d8

SHA1
12d57144c0e79edbabc8033a9bf22b1720299f2f

SHA256
c7a1b0021d1f943e497c592d83050ac85a3b93aff732f9b94cd26d9c41b37ca3

SHA512
db3eac8c05b7277a6ab9974c682b20350705fcf616040204bab053d98cf193c2d6fc416eb571ca67f7e53bda59ccaddc0351bf60310a64dba2d83fd9aa539ab1

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
15KB

MD5
577b7286c7b05cecde9bea0a0d39740e

SHA1
144d97afe83738177a2dbe43994f14ec11e44b53

SHA256
983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

SHA512
8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\[email protected]_

Filesize
92KB

MD5
323181f4e9013b8b341897abd322e56c

SHA1
85e2e4a5d38c515185415bd4aa8d24f32d428fa2

SHA256
e0ce36b93ae67846424364085ad79ee24fe5c036e5f6a78a4acbe1583f22daab

SHA512
24fc5c82e25f2ee689b0888c6905f13ae74037e8db06a39b247d525071c858e8a284600dc5e33f006a2657d04c0b045c146c2af0951c7ecdceec34082a95d004

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\icon_button_news_mousedown.tga_

Filesize
20KB

MD5
00bf35778a90f9dfa68ce0d1a032d9b5

SHA1
de6a3d102de9a186e1585be14b49390dcb9605d6

SHA256
cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

SHA512
342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

Download Submit
C:\Program Files (x86)\Steam\package\tmp\graphics\tabStdBottom.tga_

Filesize
48B

MD5
bd64c051ae2410eef96839a3cb7297f7

SHA1
95a5b0455d69127fe50e396153c795d9914ce0d4

SHA256
5caa5fa3e79dcd8ec5ec20256ed7c77efaae77e0ae8d89e4a974c484cb177d84

SHA512
ea2f76c8cf5dc2fd15017ad9b942d020c3ad5ce1cedc2a1604137ea02f8411cfff4166ffe93c101756b404344488b304cf2b4a71c25b2929654dda9a88a88793

Download Submit
C:\Program Files (x86)\Steam\package\tmp\public\steam_cloudsync.ico_

Filesize
47KB

MD5
da277b7a17374bde018ffab02015238b

SHA1
ceaafa1a1ed7d2101ad3c2884159364aacbf9dcd

SHA256
5aaca90948de8f7d11264ed608a2f96acba061e6463d337d658b00ed1c552449

SHA512
5a6e542ae9938f560d40348ceac663feaf889a6c990efdcfbea919531dbc34771fe2f0f366ab7adc15e998e5ed392d80dad78a8392f11b9c8fdf2c67f0431a53

Download Submit
C:\Program Files (x86)\Steam\package\tmp\public\steam_cloudsync_posix.tga_

Filesize
64KB

MD5
be3a210738638c4f33aa7e01cb475e26

SHA1
02276a10cd77cfd57e4c796c45d69d526f8420bd

SHA256
fd2abb8945c06a6b9c5444baf6ea523b52bf7a03a58b34ebe0a6a110630ed5f8

SHA512
6a11640800df51a8d88ef4224acd39cbb051dcdd6239bee82575ca11772a6a52e40c6614af3ea61320d29b4f75fc9611f6182ad2a55d7284863fd38d89631feb

Download Submit
C:\Program Files (x86)\Steam\package\tmp\public\steam_tray.tga_

Filesize
1KB

MD5
7ecf5b072a3c49209af4710481dff5c9

SHA1
6b49560eb27b2d7cd169c066208d4fd3a4863f3b

SHA256
f747d5fd27e74412be05bb376c0ff12fcebb7f39c158eaa89ab6a0a9d92ef3b6

SHA512
ec9ed9d824471655a48b48324a023a7231560810f6403f0ded04af35b51dde4dcd244bd4147570ac9c5cf0c841af33caaf8de7d60cf20f6fcbedbd1717d6d262

Download Submit
C:\Program Files (x86)\Steam\package\tmp\resource\filter_clean_bulgarian.txt.gz_

Filesize
23B

MD5
836dd6b25a8902af48cd52738b675e4b

SHA1
449347c06a872bedf311046bca8d316bfba3830b

SHA256
6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

SHA512
6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

Download Submit
C:\Program Files (x86)\Steam\package\tmp\steam\cached\game_details_header_green.tga_

Filesize
2.1MB

MD5
1ed17a7d11da47608f99d98a8d249e6f

SHA1
ea3d9e0de541be2a346e93e63286f0265ac302fc

SHA256
a24832de8b80e206143170a899ab91e76e85685aed74963fe2f490344bbf6427

SHA512
e423be766c3d615dee6f3ed8b0b7bb5735ec13617a93f6f5403a3e7c4c379b9ab87e9fd5f0c9fa9338f656e321488d0aba895ac9f77da413e27473b2218b9ac7

Download Submit
C:\Program Files\Koalageddon\Koalageddon.exe

Filesize
448KB

MD5
f3fee249c9335225e3af98f11d805f34

SHA1
1d5065a559c156c11caf81ebfa9f3366caba76b2

SHA256
edfc0e68e302b33410c0bcddca6bd2112f0816861cc9360e22b80c0004852e24

SHA512
f0652631f55e2530ff6e4b5462a48df7109a1969f14af8c9778b413fea84a0113e30c9281ff772921a981d45e8dcb9150d141cbc9b33d0fb98d3fec7a62e4896

Download Submit
C:\Program Files\Koalageddon\app\Koalageddon.cfg

Filesize
6KB

MD5
7aa4849ccca139f773ec9600939d134a

SHA1
6f564bc8ff510a34f122c3a003720b7d74fb1040

SHA256
f531d92293ea94b05f5ea513a4e716b7cf1bf16f423ecae8a56463785e368f0b

SHA512
3a21add2eb783318bc9080a60a3b9ccfe511f38dec322da5c75b134d683c531cd103395e754370c4beb43afc36e89f35d0d5d930e6bf2069522b71b277c5c9c1

Download Submit
C:\Program Files\Koalageddon\app\animation-core-desktop-1.3.0-e4e0deec43a1fe5e167c411ddc9bf385.jar

Filesize
191KB

MD5
5a520c626b84462f370e0fcfc41372b0

SHA1
eb8fdc5755bfedd507c7f9c18c42b5da0e4ef484

SHA256
a81f21bda4c67d075934506f7b738b909bb5fbaad9be5d91b000f7b440dee0ce

SHA512
2586584a5659fc130148e34d7fb196c3d87dd778efb4ac0b9863ea0a17d4d20cde17a514dc42e59490af45ffcbf48eedf3611036adf57b1984aa966da13412aa

Download Submit
C:\Program Files\Koalageddon\app\animation-desktop-1.3.0-6ed1e4ad7942e528b3f2af8cf36d32d.jar

Filesize
234KB

MD5
ed7365b40630845605a1748e57f1121b

SHA1
f4205490f8f0c53466115f8a8aa459b4f1995eca

SHA256
ae6e222389babc212b96d0582b55a962a52aa249acfcd96bc60629614e807efb

SHA512
626945d618ad48d8410d0a04890a34ea54465651fb42f30074a41b4abf371589793bfa705603fb1c7d4d161c76dda3785dcd80a90363829eb657f7f4e24dc905

Download Submit
C:\Program Files\Koalageddon\app\annotations-13.0-f4fb462172517b46b6cd900358515a.jar

Filesize
1KB

MD5
220caeb4af9453baa13b3beb95405729

SHA1
8539b6d1de27a81dfa5f76099d210205c8126de0

SHA256
21c62075d4bb3f9a0938fc8ec838a717498a2d947ab9949bf2ca024a574a93cf

SHA512
54b719a33cb3164b51b0397bb19a307c9f4f863d409d5fb3051cb5f059c22396e90660d2c14cb77f0cf462cba73f2c60416eb53edf84d2c880463e81d3087d8f

Download Submit
C:\Program Files\Koalageddon\app\appdirs-1.2.1-accf8bf9c4a91aee4c715d66240d4.jar

Filesize
8KB

MD5
96d905e3b90a53543f2cc5a0654dfee4

SHA1
a5aa1999ebf5c053d497cd58b9221fe8823d6d6d

SHA256
1c3e66c853a6c508814201e28e6a8687576f4a78cdddfdf2febf7f447dd35ffb

SHA512
173a7b21017f7a16138ebba12f18f8df543d8f75da4f770dc37bd40ae38de74c8240fa33de4178d5344f984e08e151399d00c495accfbe588f72d3381d3e483f

Download Submit
C:\Program Files\Koalageddon\app\asn-one-0.4.0-d3153e6fec8296ebfbc8936fdcef775b.jar

Filesize
1KB

MD5
0ed44204e268b6f70e32f1d02e117619

SHA1
74cb25517d18757a664ed9d3dee6aa2b76c45ab1

SHA256
97b97c88f7e87413912bbc3f0588b955b49589f65f88e2d5b5add5ddf3ec19c5

SHA512
32e9c6077e18fd7aad128620dad4c307a72b37a6d01ff8276e378090c5c2b95939da971d2b6c190ce61af9e640c499fdb252f5657b7f3ecd454b4706b32c363c

Download Submit
C:\Program Files\Koalageddon\app\atomicfu-jvm-0.17.2-d6b6f3a195696acf1828b1f125125ed7.jar

Filesize
448B

MD5
123c23839aea1dac0ce76999f987e0a1

SHA1
f157876b2e8c240cccefd78f8a264248fc85f51b

SHA256
128affe73bb8a99351f93b1eeebc3825005df8c241b9a47498f6c64e26d039a5

SHA512
5cd50ce7d9ce01ebfb471cf8020bc3871a3afadba1c24c48e72241c4e4b6525b185362bc6462b4adf7c65e2d80cdcaf7bd9c3c49312bb584caf12528903c4013

Download Submit
C:\Program Files\Koalageddon\app\bcpkix-jdk15on-1.66-a5b13435d46cb52abb0a47feb77e5e.jar

Filesize
102KB

MD5
99770ff0bbe41caaa6b4bcef9a81373d

SHA1
ea5589b94b94cb3365d48adea38f83a00fbb9b4e

SHA256
9cab2d6a97fc75e319d72fe6eb4fe207d4a4435b4140f47b41156b38c0863a62

SHA512
3e54afae3f043b0332eb263064e076da3ae791876fbe1026c01c6193244466a507ae53fe1b64e88ea58fab9bca01db2afba27ba17313e18f06b7dba8e8c5c868

Download Submit
C:\Program Files\Koalageddon\app\bcprov-jdk15on-1.66-fd57b228172782ae6a73d22a7ac9b45.jar

Filesize
598KB

MD5
318201d533696e9c309e511e0bb5dd4b

SHA1
d74788b1c608eeaa7b18c9dc306d0753fbfe80d9

SHA256
46c5d19ca0d4eb406b902a35bc35fe4d522b85d5b7505c361662de044611b485

SHA512
e6c1ec7b120422d7ea3a117191558672747ebee3d35aca923de4013c754397a4a24e9ec3f97a66afc36bea75627d9634eaaa44fcd6da80f1177d1623cd03ea59

Download Submit
C:\Program Files\Koalageddon\runtime\bin\java.dll

Filesize
143KB

MD5
aa069d2675ed9415ed03ec50618613cf

SHA1
ecdd5d910052006c1a98f51d927fe048739776e9

SHA256
66c02525e5ec60e0d74b4225ed6f7d85c778d774f298b46577aea82b369689c1

SHA512
55d3f64576e6e4bbbe89082b347161a8f8d67d4c0fb0a5104286bfbb4a822d8a8e88c7c161ea3db703032065cf716328fcc3db4acd4637c6157cef712977f845

Download Submit
C:\Program Files\Koalageddon\runtime\legal\java.prefs\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Program Files\Koalageddon\runtime\legal\jdk.unsupported\COPYRIGHT

Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Program Files\Koalageddon\runtime\lib\jvm.cfg

Filesize
29B

MD5
7ce21bdcfa333c231d74a77394206302

SHA1
c5a940d2dee8e7bfc01a87d585ddca420d37e226

SHA256
aa9efb969444c1484e29adecab55a122458090616e766b2f1230ef05bc3867e0

SHA512
8b37a1a5600e0a4e5832021c4db50569e33f1ddc8ac4fc2f38d5439272b955b0e3028ea10dec0743b197aa0def32d9e185066d2bac451f81b99539d34006074b

Download Submit
C:\Program Files\Koalageddon\runtime\lib\modules

Filesize
42.9MB

MD5
c2ee0e3826328a754236745993350b24

SHA1
11325146dcde886025029df3c23f801c7776ecbc

SHA256
cd381ab9beb6d19f34509b8f9b444b23bb1a01499d65617cfe7b3534668c9696

SHA512
0fb52de03a9d566a92a7f53dc4edb2c878885c1b3f6b147150f1a4620316c9519cef83ce8be7df79a31ce4f44dd5fe2f83685bcb2809140ac904f58ee3afe45a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6224fdf5-9852-48bd-a41c-c7d3508d0e80.tmp

Filesize
6KB

MD5
203b0f143321bcddce1a23ddd31abe9b

SHA1
1b9910608fb02f286458e6830c49ecff2bfbbc3d

SHA256
f5adbfa53485394c6bf26bda736c9ab926ce280721bb85eba77ee5bdc1948896

SHA512
d2c8514a287eeeaaf1733aac04fcb8ac9a474b6fc5cda430adbbfce5bbe01f1e5b3fad5537a7ba17d114878f2c691bbd2941ce1ee7e1a810293823d0ad6ce09e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c315bc95af9d6ec731d296a4f11391cf

SHA1
d671f417c807bd52e7275c787f00499d9e526869

SHA256
81b2e8aa899ecbe42a8a9881c0903f209afa7ea862ee908fe7abb59c41a9b196

SHA512
eb38713d3e866217353656053191e6d81cfd334fd54eea70520ce3dcfddeb4807b57a03f781999ae0c1c238d5b0ec017b182818710deb1700392b4d5ae7b31c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d57d548a44f4d9262694f07f33e37b0b

SHA1
05e7a59a2b90963e65839dbb0a9271cdb3e225b0

SHA256
1c3a9fd6ecfe1cbf1e09532965c128a0c0f182631ae2900c92b360f495afa724

SHA512
4c1132817bf22457ba951f397979d9c5c4d457eac6704254cd2a7205272d734927734a2c0e724dffc4a97a922d96180a52661938ef038ca0aebdff3957bcc21d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
56e17e64c476485f5e0d54799bc95a21

SHA1
fae271f06ba270721cbc693d9b74f098c06e9314

SHA256
147fc5a430730bbf3febaea02aec4c4d00f3d69d1587cddccbe1fc9ef1a2bda5

SHA512
6544686455a5d43c7c46e2b3d3645ad58d6e32a0a12bd5333e6f6ee2ccef605210eddecca5e92c7236380fc74c8ac7e64641c66f2653261c0643613b0811cb77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
360aa53d45f5d0dea1e1c3fc2e21e2fa

SHA1
731761bb9786b51791ba4b8280e55ea9244e7504

SHA256
b37b2d1b3634b9b7ccec8ba85fc721998ae2093f753ac87d8e2d69b968fc30fe

SHA512
61b50c9c0fdeec01ab5df22a45fb47784f6c5cfb9e5f74a703757278c73b728c2da82f6e17dfdbc50f011e5b54c6f417943fedfa0f94115c442d9745bea01d3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c4979026261e257354fa247ff4d2948c

SHA1
ca50c29e3a11871ef09a22ff2ada5847699e3bda

SHA256
acdbc159c3fa5248d4f018c34a0bf296962250e19e356c4fa26077fa99d870a4

SHA512
bb185fce593166a75ff29ddfc868e64f110925c5428618dedb990e403d1646958a41dec637ba8231c088021ea5107d1979a3f6d7c44cdf89ddb954936ebd05d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
713f0b24ed79b4a2c1ce404d1ca1bf37

SHA1
ce44811239f4a7477090ff09407365421ddd96e4

SHA256
5d49b7a4a613013c3e28fb22f224f2f51b067466d9e7aa37f83a890ff75de53b

SHA512
ccb80a44bf5aa4b7e01b53e8aa0165d47ed9b8690c7e2bc3138559a87cdb9e7a41e1ed2bb69b3afa8e1ab274d5a26ecd3623162005594b0d21140c9d73813dba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c9baad7edf8b11ed6beadafd08534a1c

SHA1
1c839e358f1195fa1b9e95c9b5eba0329ba9cbe1

SHA256
1e5716ead2b3e0c056bcdb67fe83e83af3aa79b3e0d1b5647ae231c3ec03c565

SHA512
e4ea2003092f9a69e4672347077f1f64fa34c09ddcf0ffad6f95d1f16a052233c7457c0bf888ec399ea4bf6f9c07feecc385faf201cd4d6a2c27ff71098cf9a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
177KB

MD5
a1a77238f2776cbd816f89653dcb6f41

SHA1
427e14d51fe3a811d1904102d1240b2bb6bb679b

SHA256
63a8cf69d4aa9376158b1668eb2ff511ce01dd783ebe9540436a9bb1048d34ad

SHA512
e0fccd6a6dea2aad7b8496af97066d14ee79d5a453062d9744a6209e0142c3d467adbc219ed3096f83632cddbb8fb1f9ce83235763e161eb94b92dee8cf57d1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
355KB

MD5
ffde5c24fd8b4efe36b7e10775de3fd6

SHA1
978391f8cbe1f50489bc0dde61ca52c3f718cd83

SHA256
a315970418d193a11638ead942a7bd3e4af378272ad4cf31f5141511b398de3a

SHA512
0fc75e01afc31ed280757c301749a99d44a2fde6d6e0c0b74a74598996e9e8462bcae44fb8fa7c326ed945de4d9431ab1ddc6819b4d800000927f2511a4c5a16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
355KB

MD5
ff9c2a44af281b19f12a5bc782bed50e

SHA1
97dfe528614facce1ed331f23409fd96d4c71818

SHA256
30e9747e8fc5e929d8e247ef51031e4ffd0573b05465ee739d4380194e84fcc5

SHA512
9d16f83fb296f3cfe2476db7c6bc78a71bdc8c412158490eee99624025b69d7fc2149ad48648f250d396d72dfe0f30099c1d2c559eceac1ff070b7b678ceec68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
408KB

MD5
063a5c6046b46226bf4eb9db5e8af8fc

SHA1
db6096567fea3accf541e6b9319b40ec9bda7080

SHA256
25f147613a289f84613e7203f6a61bb94d64a1cd830f31e424cb25d6ab2bc54f

SHA512
6dec69f7a3c16a75cc217086a9ed0d7e441cf9c722389d5261645ad4161df1d81ab1667725d3a4dd09b86cba57d0095098350c960f0ab77a9c968e234b813b31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
74KB

MD5
3ef5dc4fb0c9cfe0c8d67ad6498d307d

SHA1
b1858ba3ca1705056ee443b00dfaff4842c1922d

SHA256
edeb19273f0e7cd936f885bc2ddbd585474b22d56777b51e7e3d4da31670e867

SHA512
043de43565748089fcc0f4995a580fbff5d142706b794145cd4d22c8480b3e57ababc89c8657ddb94cf7b52716d0562954619dfed9550d9446c16c1371f33257

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Steam\htmlcache\CURRENT~RFf7ba90c.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC229.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDE5E.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDEBC.tmp

Filesize
104KB

MD5
e76ab52d50197baddbc0d921e1d8eea5

SHA1
3789e237ad3b07ef43f4014e99099a0b43b1392d

SHA256
6e3dae02524f00ee37f33123f7fac943ed2a8617988ec4a667fcddb7764c634c

SHA512
f21b9b45a3b8b079c26568962559d56377fe0cbefde287f4fb763c8fd85df72220858bca598dcbaaa47c0fa23ea9c4ed90375a40d6a55ca062dc373cfbe80c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC27A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna5794099306361955491.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuFE5E.tmp\StdUtils.dll

Filesize
110KB

MD5
db11ab4828b429a987e7682e495c1810

SHA1
29c2c2069c4975c90789dc6d3677b4b650196561

SHA256
c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

SHA512
460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuFE5E.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuFE5E.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuFE5E.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuFE5E.tmp\nsExec.dll

Filesize
17KB

MD5
2095af18c696968208315d4328a2b7fe

SHA1
b1b0e70c03724b2941e92c5098cc1fc0f2b51568

SHA256
3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

SHA512
60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuFE5E.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Local\acidicoala\koalageddon\unlockers\SmokeAPI\SmokeAPI.dll

Filesize
2.6MB

MD5
4a1a823e5cf4fb861dd6ba94539d29c4

SHA1
8e2f160783e159fdd33e806acbc5afb37f84ec4d

SHA256
f874fa379dc8557f5d640a17753900a7c1a1d5f93a13aeeef176316b8ccf0764

SHA512
018768c3dbee58ce5c42d00577160ab9766284200c37a173c0fb711c82db6ea6d8e7a80a66e0be5afe853dd8ab07a378db25dea0de0b6adc43b1fe9b7cf46e52

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 619087.crdownload

Filesize
2.3MB

MD5
1b54b70beef8eb240db31718e8f7eb5d

SHA1
da5995070737ec655824c92622333c489eb6bce4

SHA256
7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

SHA512
fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

Download Submit
C:\Windows\Installer\MSI628.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\f77057d.msi

Filesize
46.4MB

MD5
155295f8dbaae190dd34adadecfb302e

SHA1
c720229eb480dadd40649a2447b3e618a83d568c

SHA256
793a6b5980872bc0c16c53ee550f860b90e8955fbbf2f0bd15734e05e9b4c3b8

SHA512
cd6d4405bf387faa538426a2cfefdecd4c7f3a649f4cfce1eab85cea22a345f304525d222a48785528b7e19f83b76a536a1895e3f32ea8153d93ddae29850dd7

Download Submit
\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
4ec4790281017e616af632da1dc624e1

SHA1
342b15c5d3e34ab4ac0b9904b95d0d5b074447b7

SHA256
5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639

SHA512
80c4e20d37eff29c7577b2d0ed67539a9c2c228edb48ab05d72648a6ed38f5ff537715c130342beb0e3ef16eb11179b9b484303354a026bda3a86d5414d24e69

Download Submit
\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
7a859e91fdcf78a584ac93aa85371bc9

SHA1
1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7

SHA256
b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607

SHA512
a368f21eca765afca86e03d59cf953500770f4a5bff8b86b2ac53f1b5174c627e061ce9a1f781dc56506774e0d0b09725e9698d4dc2d3a59e93da7ef3d900887

Download Submit
\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
972544ade7e32bfdeb28b39bc734cdee

SHA1
87816f4afabbdec0ec2cfeb417748398505c5aa9

SHA256
7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86

SHA512
5e1131b405e0c7a255b1c51073aff99e2d5c0d28fd3e55cabc04d463758a575a954008ea1ba5b4e2b345b49af448b93ad21dfc4a01573b3cb6e7256d9ecceef1

Download Submit
\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8906279245f7385b189a6b0b67df2d7c

SHA1
fcf03d9043a2daafe8e28dee0b130513677227e4

SHA256
f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f

SHA512
67cac89ae58cc715976107f3bdf279b1e78945afd07e6f657e076d78e92ee1a98e3e7b8feae295af5ce35e00c804f3f53a890895badb1eed32377d85c21672b9

Download Submit
\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
dd8176e132eedea3322443046ac35ca2

SHA1
d13587c7cc52b2c6fbcaa548c8ed2c771a260769

SHA256
2eb96422375f1a7b687115b132a4005d2e7d3d5dc091fb0eb22a6471e712848e

SHA512
77cb8c44c8cc8dd29997fba4424407579ac91176482db3cf7bc37e1f9f6aa4c4f5ba14862d2f3a9c05d1fdd7ca5a043b5f566bd0e9a9e1ed837da9c11803b253

Download Submit
\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
a6a3d6d11d623e16866f38185853facd

SHA1
fbeadd1e9016908ecce5753de1d435d6fcf3d0b5

SHA256
a768339f0b03674735404248a039ec8591fcba6ff61a3c6812414537badd23b0

SHA512
abbf32ceb35e5ec6c1562f9f3b2652b96b7dbd97bfc08d918f987c0ec0503e8390dd697476b2a2389f0172cd8cf16029fd2ec5f32a9ba3688bf2ebeefb081b2c

Download Submit
\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
f1a23c251fcbb7041496352ec9bcffbe

SHA1
be4a00642ec82465bc7b3d0cc07d4e8df72094e8

SHA256
d899c2f061952b3b97ab9cdbca2450290b0f005909ddd243ed0f4c511d32c198

SHA512
31f8c5cd3b6e153073e2e2edf0ca8072d0f787784f1611a57219349c1d57d6798a3adbd6942b0f16cef781634dd8691a5ec0b506df21b24cb70aee5523a03fd9

Download Submit
\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
55b2eb7f17f82b2096e94bca9d2db901

SHA1
44d85f1b1134ee7a609165e9c142188c0f0b17e0

SHA256
f9d3f380023a4c45e74170fe69b32bca506ee1e1fbe670d965d5b50c616da0cb

SHA512
0cf0770f5965a83f546253decfa967d8f85c340b5f6ea220d3caa14245f3cdb37c53bf8d3da6c35297b22a3fa88e7621202634f6b3649d7d9c166a221d3456a5

Download Submit
\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
9b79965f06fd756a5efde11e8d373108

SHA1
3b9de8bf6b912f19f7742ad34a875cbe2b5ffa50

SHA256
1a916c0db285deb02c0b9df4d08dad5ea95700a6a812ea067bd637a91101a9f6

SHA512
7d4155c00d65c3554e90575178a80d20dc7c80d543c4b5c4c3f508f0811482515638fe513e291b82f958b4d7a63c9876be4e368557b07ff062961197ed4286fb

Download Submit
\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
1d48a3189a55b632798f0e859628b0fb

SHA1
61569a8e4f37adc353986d83efc90dc043cdc673

SHA256
b56bc94e8539603dd2f0fea2f25efd17966315067442507db4bffafcbc2955b0

SHA512
47f329102b703bfbb1ebaeb5203d1c8404a0c912019193c93d150a95bb0c5ba8dc101ac56d3283285f9f91239fc64a66a5357afe428a919b0be7194bada1f64f

Download Submit
\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
dbc27d384679916ba76316fb5e972ea6

SHA1
fb9f021f2220c852f6ff4ea94e8577368f0616a4

SHA256
dd14133adf5c534539298422f6c4b52739f80aca8c5a85ca8c966dea9964ceb1

SHA512
cc0d8c56749ccb9d007b6d3f5c4a8f1d4e368bb81446ebcd7cc7b40399bbd56d0acaba588ca172ecb7472a8cbddbd4c366ffa38094a832f6d7e343b813ba565e

Download Submit
\Program Files\Koalageddon\runtime\bin\jimage.dll

Filesize
32KB

MD5
bd60efd008e48bb99caeac946ced792e

SHA1
855d278e7ca1c1e918bd5f32c2a3fd8772554f52

SHA256
fc2be5399a034c07beb51270471144eedecc5068139b7ae2a7dfff7719b19746

SHA512
d66a0095c57a521537dde53b4c3d730a719f91d41f51f1eb7efd666f5dbc00b9837e7ff28dd05cf3a8a2310a51083e3be044fd126840b0ddb885ff3e0edf5344

Download Submit
\Program Files\Koalageddon\runtime\bin\jli.dll

Filesize
88KB

MD5
3a315274152a0ff52027c0ba0a960a21

SHA1
e3ebb1bb6fbacbb12fd9f6231d950666f2e5a034

SHA256
4a40a3a94d69ae05a2d31143c3877ff4ab5bb497445324d1bd693998e0b9ef24

SHA512
9705a7cdc86ee88b64235f4d9362c7b4e610367598ac4f4617a9761675c229b3ad94ecbd321e48718f14fb09419545c01ac975d5e577217a1a2ba85723c6c5b9

Download Submit
\Program Files\Koalageddon\runtime\bin\msvcp140.dll

Filesize
558KB

MD5
bf78c15068d6671693dfcdfa5770d705

SHA1
4418c03c3161706a4349dfe3f97278e7a5d8962a

SHA256
a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

SHA512
5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

Download Submit
\Program Files\Koalageddon\runtime\bin\net.dll

Filesize
94KB

MD5
b4e840ed1c5dbca49f34028137fb3178

SHA1
98f24cac1b6f8b86ae24efe532720b5256e635fe

SHA256
e0e567586af9eab9f95b6d84b60fd2785e38e202908ca62579d0fa7261a65a83

SHA512
63610e17bf0a2b357e4bed5f78c2e6449ec4d498e70025ff37a8f80362d41e50cef6c4197b3b0eda6f842a8fa90e0e2f88dd59ff0eda1632f17137b5c852365e

Download Submit
\Program Files\Koalageddon\runtime\bin\nio.dll

Filesize
78KB

MD5
cf63016b7c60c45d7707b8aabb705ce3

SHA1
3d4067d14260cd816a52e3640774d1fcd8bd64b7

SHA256
b92a5e3024e1c05427cbdc593deaef2473a74d7baf4c5d98063ce6e98bd0a619

SHA512
d84a0d7ce7d5ebc59f17aced76b2aa12f924f9a823f776da49f7099b4f2c3828b737be0001e47486aca9eb70363d9cb9068a1d75524853d0792d71874ee3ca62

Download Submit
\Program Files\Koalageddon\runtime\bin\server\jvm.dll

Filesize
11.5MB

MD5
89ad37a2cce32eec711b1df655ce4b8c

SHA1
1fa554d4382696eae8c2523990f3787598a22a24

SHA256
13bcca0624bfb0e41d684a97e50ca07479cb12c6643f61fadf72985688c7a6d1

SHA512
e09a135b86ea9d4778c31ded4a27210114a9db26fdb3085568c70064fb0fa2e8e1903a7286ff7df5025fb8b6fb02af960689fdb6f60820a023b2ae64af5497e8

Download Submit
\Program Files\Koalageddon\runtime\bin\vcruntime140.dll

Filesize
95KB

MD5
7415c1cc63a0c46983e2a32581daefee

SHA1
5f8534d79c84ac45ad09b5a702c8c5c288eae240

SHA256
475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1

SHA512
3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

Download Submit
\Program Files\Koalageddon\runtime\bin\vcruntime140_1.dll

Filesize
36KB

MD5
fcda37abd3d9e9d8170cd1cd15bf9d3f

SHA1
b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2

SHA256
0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6

SHA512
de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

Download Submit
\Program Files\Koalageddon\runtime\bin\zip.dll

Filesize
85KB

MD5
ade1f943087e19c5085ce31125f585b1

SHA1
9f6021d049b09008be221cc1721ea5d12d3dc877

SHA256
090ac3d37609f9717861dfb4535466fb1ff48b2213b837ddc3777f9c8d960d1e

SHA512
f3ed6bfd4614574e300b46545c3e43a73d363c252539a0efbf2bd9e2e8921029b0233a7f67f689dbb967eb648c88c0b012944841a4c3e11aad8d4eb66822857f

Download Submit
memory/2200-15862-0x0000000000CD0000-0x0000000001182000-memory.dmp

Filesize
4.7MB

Download
memory/2320-347-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/2320-348-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/2320-405-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/2836-978-0x00000000030E0000-0x00000000030E2000-memory.dmp

Filesize
8KB

Download
memory/2836-15868-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download